The XDB (XML Database) in Oracle Corp.s Oracle9i Database Release 2 has a set of potential buffer overflows that a smart attacker could exploit to cause a denial-of-service (DoS) attack or to capture an active user session on Oracle9i, the companys OTN (Oracle Technology Network) informed users earlier this week.
Oracle9i Release 1 and earlier versions are not affected.
To exploit the weaknesses, an authenticated database user—i.e., with a valid log-in—is required, or the FTP and HTTP servers must be enabled in the XML database.
In the OTNs opinion, an overflow attack via the Internet is unlikely unless users connect databases directly to the Internet, with no intervening application server or firewall. The vulnerabilities are, however, "highly susceptible" to an insider attack that originates on a corporate intranet if users ignore best practices for secure database configuration, the OTN said in a statement.
In other words, the patch needs to be applied ASAP.
There are no workarounds in this situation. To minimize risk, Oracle recommends disabling the FTP and HTTP servers in the XML database. Those are both installed and enabled by default and cant be turned on or off individually. To view instructions on disabling the servers, click here [pdf].
Oracle recommends that customers review the severity rating for this alert and patch accordingly. The rating is available at the link given above. For a definition of severity ratings, click here [pdf]. The patch is downloadable here.