Patching Oracle, IBM For The Holiday

Security experts at U.K.-based Next Generation Security Software brought tidings of security vulnerabilities in Oracle and IBM software in time for the Christmas holiday.

But both companies have issued patches and fixes to correct the issues.

The firm pointed to vulnerabilities in Oracle’s Application Server and Database Server that may allow an intruder to gain unwanted access privileges. It also said IBM’s DB2 Universal Database also suffers from buffer overflow flaws.

The Oracle flaws, which affect the Redwood Shores, Calif., company’s 10g or 9i software, range from medium to high risk, said NGSSoftware’s David
Litchfield, in a report Thursday. Oracle has released patches for the openings.

Litchfield warned that a high-risk hole in Oracle 10g/9i Database Servers
can allow an attacker to gain illicit privileges on the software. The flaw
has been dubbed a “trigger abuse” vulnerability. While database triggers
normally help maintain data integrity, several default triggers in Oracle
can be abused, Litchfield said.

Litchfield said Oracle 10g Database has an “extproc” buffer overflow, a
high-risk hole that takes advantage of Oracle’s support for the PL/SQL
programming language. Malicious users can execute external procedures via

Two medium-risk bugs also seize on extproc, which has been found to suffer
from a directory traversal problem that allows attackers access to arbitrary
libraries, as well as a local command execution flaw that could allow local users to run commands as an Oracle user.

Oracle 10g and 9i suffer from multiple PL/SQL injection
vulnerabilities, the firm said. The code for PL/SQL procedures can be encrypted to trigger
a buffer overflow. This exploit lets an attacker run code as the Oracle

A character conversion problem exists in Oracle 10g Application Server (AS),
Litchfield said. The high-risk opening allows perpetrators to bypass PL/SQL
exclusions and gain access to the database server. Windows and Linux are

The Application Server is also prone to a ISQL*Plus load.uix file access
opening. The Application Server installs ISQL*Plus. Once logged in, an
attacker can use load.uix to read files on the server, said the security

Lastly on the Oracle front, Litchfield said the 10g Oracle TNS Listener hole
is vulnerable, allowing an intruder to trigger a denial of service attack of
an operating system.

Oracle’s application server and database weren’t the only major
infrastructure products Litchfield shone his spotlight on. He also found
buffer overflows in IBM’s DB2.

IBM has listed fixpacks for a DB2 “generate_distfile” buffer overflow for version 8.1/7.x. Finally, a “rec2xml” function in DB2, used to format a string in XML, is also
to a buffer overflow, but IBM has also issued a fixpack for the issue as well.

Security firm iDefense also said IBM had patched an “invscout” local command execution vulnerability in some newer versions of its AIX operating system this week. According to an advisory it sent on Monday, the exploitation of the vulnerability could allow local attackers to gain increased privileges (although it would require a local account and a writable directory).

IBM issued fixes for AIX versions 5.1.0, 5.2.0 and 5.3.0 and urged customers to upgrade to these levels if they hadn’t already.

News Around the Web