Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Six Unpatched Flaws in Oracle Database Products



 By: Ryan Naraine
2005-07-19
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A private security research firm goes public with details after waiting more than 700 days for Oracle to release patches.

A German database security outfit on Tuesday went public with information on six unpatched vulnerabilities—some rated critical—in Oracle Forms and Oracle Reports, two widely deployed enterprise-facing products.

Red-Database-Security GmbH, a company that specializes in Oracle security audits, warned that the most serious flaw could allow a malicious hacker to use a Web browser to overwrite any file on a vulnerable application server.

Alexander Kornbrust, founder and CEO of Red-Database-Security, said three of the flaws are deemed "critical" because of the high risk they present to businesses using the affected products.

In an interview with Ziff Davis Internet News, Kornbrust said he decided to publicly release the information after waiting more than 700 days for Oracle to address the issues.

Click here to read more about Oracle recently releasing a set of 49 patches.

Kornbrust said he was expecting to find the patches in Oracles scheduled July release of "Critical Patch Updates" because of the severity and the widespread deployment of Oracle Forms and Oracle Reports.

Resource Library:

Oracle Forms is a component of the Oracle Developer Suite while Oracle Reports is the companys enterprise reporting tool.

The affected products feature prominently in the Oracle Application Server and are also used in the Oracle E-Business Suite.

"Oracles behavior not fixing critical security bugs for a long time is not acceptable for their customers," Kornbrust said, warning that long delays in releasing patches "put their customers in danger."

"At least one of these vulnerabilities can be abused from any attacker on the Internet," he added.

Kornbrust said he notified the informed the Oracle Security Team three months ago of his plan to publish the bug details if fixes were not including in the July batch of patches.

"I know that Oracle products are complex and a good patch quality needs some time. Thats why I offered Oracle additional time if three months were not sufficient for fixing the bugs. Oracle never asked for additional time," he said.

"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," he added.

Kornbrust, who worked for several years at Oracle Germany, Oracle Switzerland and IBM Global Services as a consultant, said he was not disappointed, but not surprised, that the flaws were not patched.

"This is very typical of the way Oracle deals with security. They take ages to fix serious bugs. Weve had this problem with Oracle for many years," he declared.

Read more here about Oracles previous delay in releasing patches.

Oracle has been heavily criticized in the past for being slow to address critical security flaws.

Last summer, at the BlackHat briefings in Las Vegas, researchers pushed the envelope by releasing details on more than two dozen security holes in Oracle products that had not been fixed.

At the time, Oracle confirmed that it was aware of the vulnerabilities—some of them "high risk"—for several months.

The public relations fallout from that incident prompted Oracle to shift to a quarterly patch cycle, in which four "Critical Patch Updates" will be posted every year.

But it appears the company is still struggling to deal with vulnerabilities that are reported by private researchers.

According to Kornbrusts advisories, Oracle customers can apply pre-patch workarounds to get temporary protection.

The flaws range from cross-site-scripting, information disclosure, file overwrite and the ability to run OS commands on vulnerable application servers.

Earlier this month, Oracle released a fix for an incomplete database server patch after a private security research outfit discovered that the underlying vulnerability was never addressed.

That patch came almost a month to the day after David Litchfield, managing director at U.K.-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Six Unpatched Flaws in Oracle Database Products
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8c")%[rey-%L*EB%)ۚ'ΗSOx-ɞؖnt7F$I Ӟc-Jg1;D{{?.FP|oS sѩe軫F]̉]kkHNშ :':@.Rs2 j99&ԗoO~e0-ڶAq6)6N0,,Z P8"X.{D~. DuXqLǎH;*#'x8Ӽi/DaOGTHM"x<&J>vn=w2`q|!`T黖8"#oAUVekVClvy!rs#g߮z$nPr&N7w#205ARZ"[ XdTj ӑc)u8r x08JeJ-jfL yf_%z(ww6O) |@ɠi!Zdq=}9ef42ۼMYnU\>TkqZJ{}޴ ޷L{`Tyݙ훏/ EU ns~#GA GfmGh[N"ijQ=vN{ـ\>/.ɣ N|'k[LZ.JX<%ȇ Tb= u P礋\獒AwnFtXT Z, Ԏ$0L"ÌJ3~̢(CdNdВ-AoA>C,[3sAVU̠`W:k1㝩S9k<_st.[>9]VsGV=Bg#j`Bmiuu¿܌vO|3Q&ںa#jCIɽGf;|jio]}:蜒$7SYn Z0dio,Yn_H.)żM|Y|ěy#0ri4(-ߦAf@w[@(k:YKS703h_?]=w a4z@L5&:h)5?&F`Mab&DJH7Q 6)`I˪ TY&嗋mQq>].Q#w=^f/\R@3Al8{ØWҽT6wsY [|48O>]7Du.*s5-wnxˢaZ*;{8k7-ҿ]{0*>cq4Y`I-. :mo:al:} 5KX8T ǿ@8ʍ??5m!S[ö@ .Sks+k~̆>:NQm5>l;4}t>჆$>hhƋMriOMrӇtu4A.~{ͣn]?&tno7,AbGa`Ψs!F#m|&6ld$4(sw[LLσ I#ˋ0P 2/?6axsܧP}MrA=39;ʹiǀxԘڀ;r-Ea3CDأ -H.B$(ZȻB!Alq [$pXdl++~'azGBJe6Os@PG҅3qJP.τRZ z)0ٜʬ$5M힟u]_ ȉ#m"0%X -gZ X5ֲ fT8VJ >Ӥ7= Kbi]yOe&,`b HK%\Ew,[t3Asq=7c@Cyw;J`p=Ͱ"̴b֜u4dMfB7g ƩOI|B3< I8M{lz:eR#O>h0k8-ucys347Nm~|FpIN3_iy>grGֶL/j@>|z[.z: %r% 5kb$T`CfL q^i:[@OeSZqlzQn^ӛA| ~ޮ R[k(Y&&ۊx A-ژ WZD"JMP> 2Cɣ($mU6L?InQy{8dO1>7l`(`RTȅjS#SV+a5sV@@@7h ,9قrij>::NXs]OT \r G Sp>h>JeHǝ:~LҦ;BUjJb35-F   _ǂK e*8t55{yq8XYګžtٔүxMvpv G9Je!6c{ji-6ӞWH>LZ`!?r(1IO5 &^PGe d^s`M[`R9cDzl lF CQ>-L=G.4MD83G[/OAU4$qx3??4X)0*Ly. >:F}`'z\sgItо&hʰeh8`Zzq&$KDX(TЀah"pHE@xZh~x| " L-9HZ1-[*::$f߂ä,Cd>OM{c>4YU f2~2Ejw8x_ℯ-8ݩfCӨ7ߋg_ CzCp`>s}G>N-{h'(0v O*r9IdѮ[D@)% ӣzp|o) nrʃ4t]#@$72}}v~9N(0qs;OM*?RLg%:!pwCTEetXݚ `1}j$aꑎ!L`f0%+ #m6qJs8-"uW:KjZSZ+::>jN枏+ӥ ,G{ݮcfu>:k}]\W ZQa߯yUb^ څHBGdD#`P[v*6'wTk6h)7YS!RW dĞeeK3etjC鳨%Zȓ3w&Z Ĵ\.@ ^(93F[]-M:f2/cX_dU-'0}3hSYlpg=H]ӞyM}|O>=aO#UIV:Mr&kA}kPow(*Kq3`93"豥mBtP+'&GlzxVm"y';"#əN[h ̽~ZÄsqӳP.T*E0=k@" a]&k꾬=M~ITyC[Tޫ*eάR/(QU-q'F.҄^ߍKSbv}b;_&I|SeUȣV82V6jRaokA~fZX)c=g0R TQ>O3(~ (zC9kuA>qRTS,.=JMXJP?YTAteUT n?mVPVW`Zd&s\%\{si0o)Q󩋗afD]R/)3nQ/ ~egm!P?PG te[,r/鉚ƺR`f~` YvH0ש5I-֊R{̡2a{і$¾̓G\\7hg?"X7Swg5ċ)us#RRhwĶZVr?%Da!`0T=({H"p?lV*rF2R@BRNbx<'b{H ' aV*S7o~.Rȓ#cI`q`w0Db*nLgFDccbh^f{i`z oo(0h_pm;dU]uv'HGϢ.cNkp~D*ۧ>]fs0q3f^3.319ow><{>kq 4 }U\8"c{.[Rga\[TezLR(1I]1~̮WVsA0lgAhy# @$+'pK%E;&˶u oл< rLp'Bj^t>\$'d0 szn^'6b7 ` xѤȢ<"̔cxH/ ^!uBU\z׭5g ^|&֒}UYq!slPh4lꏽ5/ٿ+[ 5 ̀o $`P8ǀzB:._#i%LB[( `M/)(+RJ)"4FL |Zu3_f| Rt<~Ur;Pעo)MJ!}J_cNf4~ɮP6=8,rh%縍vR.0?xԾ6z?&i^K_w jE5pASB9kթ-xOӖO|B[QTwJޣd$zdeafIlx4c%RJ锐']'C8 z>RB'T ˓$/+IYO)eqhd*꒐~*~(i&'ءؠҡ۳_5/'8 $O krwisq/Ps<<RpLCRàsڼ'B}$XyKOv$Ť3DJ^MjpVK ɏh8=Na.Or/uϏ*Um_f=z@:'M{q?K8t2Ti\'sXswѺB ?ݡM5=ICw5ϴc>%/5gk3 \:`AL[ıp߆؉ ?O*yr osל8{JnL<:*UP놣ݮcAIi#Q 6j 2'|P,}P Y&P:)@8Obx䇹"% :K3j`ܹj ՄH]L@-H rF:6|p4uYDj8&1E{أweZNhs}UgQ0aȊw/S[j7Z*D\Nɒ+v!oWH\‹+D.gL0w*%'o8nfj1>n1#ErgC 7ci|^䑳.K. 87c'6FH_,Cx7ړ8b6S&1Wˉ1UKMyإvt V7^\Ok>P%6`@LjMZTQzZՒ?=ȓ7ᷜAl)Taz2#o&wdnrKRN4铋RD$,N?-tIrg`! 3Z'!(w2%'j!SN6BwCS;*7'W$ )sy8]S htf/ J=-$-N0tl" VWK`>D FطKOEH'YHjy[*rxe'Jx$!g8{C.i,ىTeK1:V>}TD 4Gqf`/RE.4|`]b,y32Cu͖0D"H7t票16 ¡Te3X"a("G:Ut C_R) B?-z>(s291yiZb|E'K@35zA,[[#]LML28Vȼ D /.pppp|cZpUq#>҅#]8#VcK-ҳ*ߜ:" GA@"HT!S[ԘP-GO!C /m5/kdIzSg 0@-ŭc *T`gs!{?F[03H~Kݒ^5(B͗1&U`~P*KC~MJ($fCIwAJ V4?r|J/dl#u\mrCu&t!}qRW[HM~[tB% jIQk r/A(>¨hvho^~BHx9X[9ۑ-%Bڶ:#)pKMx40 7NȦ칆C$D @$ "!pH>ByIj<-yV̩y tJ!%Vƛ7 ݶi oI O1<]歜h@Ɠ_ݒ/> z15ψar_?09gh0TdXqP$EoI%ٍCc.;;;;|cT,Wmc4}`$;]ٰ4-0%1?AR!1x!lW=B{[\|}aw*vGS6z _Liy>_ _= 1mmlSk;7y D/Wԧ ^1 Hʖo3;? =Y &}*m^B@h-C«ߥDkBG%og 7O>D|{lڮ91CqY~%Qj~D2Oīܬ^- }ƣU4iS:umXo+%[&FIU~}&%ްnn8zlt>+#Ygr{_䪿ޡx4dφVj9 qX ϖ7F\Zq u\Ͳ %⛽pK;ŗq̑[tx=:b1i4^D{mYop;k3u#)A5[o&(6௺eul>/R9=uaYujۈYޣ3玮$zU2KjjJ ehw>02zl~Jif#e։ V$P0"*Θh֖P2a&D+opK@ĈhὓvGeӪSٿggǹ~xP8Pk}-&Ӫ=kQ/ Zi< I37^H2k"w?C* O2SG4; S\0L]o0q_n]|LS^tɜa*5 I?I5?2O:߫%d)xc)1pS\z?W Ɲ@ |*;~ zRZsʉmOG%XxLUWq`1RX>W$& prCvG rذpz~r,zK{6#T9E(96n!dؕŠ=B 0{~CX^qO3&U~6Fce\[SS]zZBo[Ԓ#rd! `Bo,"Exa /EquQ%ǤHFpxe3)4k0q^2Ω,, Y4ڦK711\RK4jPY/OQ/K]ZX:~eL<^^AFDu5WHk̘x]l4vlNz yԥBMkE.TChRGO|0xi1]Hist3#mz^C GJk&pVy +k+LxU8Ow| 􄼥޼voO%YթHҚ,;]^է<*ڢ#R;.]Y\ w[+x6_j~R.gI*]Z 0>`3lV+V+X-JR;v;搯Z+)!σcH@4r kNBK.kXGl7K1#jX0ok!8,6K&#)指wa\lGN$(cX azڭqg `- d\z1W5vᮥq SJ6jSR)Aa _awᷭlslȳ܎oyюM-۠[.н^Ř(-gwql܋1/նWS lO1VF`3+n{lˊRMȶ8.NS)q:.ȹfkaNOt(*]ZIg ?R)!o%&* <src6يj ÙJ \0]% obD+ )o3Ac5H=OeB~ c[7gΥiDVz|L ]ǒ 4B1h1@2_7=}c?ݩ2{xCbwT IhR tX(9CȮ KD8%_]xCàYQ^*_ӄ^I+\QY / PIj WuG1oVz،\S;k4.5iv?O;WN/z7x Zӷp+tsk}9]}9\;\`&hT慶L۝',C rv춙283ksYx9% Ewf8lKO3xRv}YQJNa21SlM֖C|yƫx]j12;ZTmx9j0C=W܄)@1@C|o_Ow5Bx_m^;^dBP~>3{P(GNl.o ZS(?\~9ˠ6wrN+2ʡsQdc?(_6_ 05w~7 >зA.ЧA. .g7?QF/3 3ϡw槤Ixϕ]"&JRo-cENS^.~QJxdR$d3,FD5E|,y|e8Ntw1 }^f>.? fVt{rMtKn yɫr%> |#rӚܴO]̷v<2kӫk+#B5Afп~%sS$iN^ZqzPg~ug= :!Y>Y"+x}s&pN!3J8?0 fZ g8 a箩%gh7CtF {4"q&`jPL ;I*V*r;qO+f1_ìq@Dd= ̈JA._$`rXR8,PPफ़h[iRoh yVi8an%[C Dk(xxWmEy_ƴmRfp-y|y؛ގe@V,(s[^FlB#Vx}31cljt1R {{[1g7ډ:'鼔q8!i;Ìsi܁z3z4}z<8~7mJN)gL=[ ot^}F̈ .LeSzy;*8),_bٴpX]M['lyb*b)mԿ+cU=b][ {w#˹FU9h0( 8[]^̇~2% +Ńq`a\m8JI(q0ASփMo6jb5)"Qxg ӮSD9Eם=%hkоxopO45~îz?ţ:aѡ(Yc{XnD823uw^Nkn]Xn4PkZw>UlY8=ۚ9l؆"dwnܙ%O_$NSPsXf@-N-Nk.|ۃcׂޘ0D00;^&z)6IϐR8+1H EY/j55:Z/5*l$9=ASh4ϛ5eXI% i;j9.KPRJVr.Q ?nbfUSmOTxvO~5Bp`#,w |t,CgcS% #^Π&b_wsԶeEQ&PLŽ)Jqk+yHRݠ#\w|7(6J0wKwïF:`3 s"T)M9DȦˠv3_ɿعiUhHl;:d2֭kc'pg!MX0 <ձ]w O`7@#>Ƌrd{Gop.(I|nHHU֧f2{M{:з57b([|ӼE^߇Fu:l/Asl+ 6-  `⎈meeV9DR*,E&f , ~sf㿶(@P 9Buz Ϸ;<^eӵx2 FWV|JrX}P/)W:OOgsZ%n&_Hv"w,{QFbfA#q얢unD":Ÿ0+n:' wX{ysB(z\|9!3 *`gί>!2D!6xvhMiw#KoyIާ˖VP- QwjA0}U\~HVzC%ȕ/2F#xoUAtMz'14mEg,3lW'Rե{l' uE^8%ܖmJHQ&s)#KMjZ)Mj39Q2kEskq>tgLp -ͱeRZ`l/Z6?<(