Oracle XDB Flaws Open Door for Hackers
Oracle9i Release 1 and earlier versions are not affected.
To exploit the weaknesses, an authenticated database useri.e., with a valid log-inis required, or the FTP and HTTP servers must be enabled in the XML database.
In the OTNs opinion, an overflow attack via the Internet is unlikely unless users connect databases directly to the Internet, with no intervening application server or firewall. The vulnerabilities are, however, "highly susceptible" to an insider attack that originates on a corporate intranet if users ignore best practices for secure database configuration, the OTN said in a statement.
In other words, the patch needs to be applied ASAP.
There are no workarounds in this situation. To minimize risk, Oracle recommends disabling the FTP and HTTP servers in the XML database. Those are both installed and enabled by default and cant be turned on or off individually. To view instructions on disabling the servers, click here [pdf].
Oracle recommends that customers review the severity rating for this alert and patch accordingly. The rating is available at the link given above. For a definition of severity ratings, click here [pdf]. The patch is downloadable here.