Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Database

    Six Unpatched Flaws in Oracle Database Products

    By
    Ryan Naraine
    -
    July 19, 2005
    Share
    Facebook
    Twitter
    Linkedin

      A German database security outfit on Tuesday went public with information on six unpatched vulnerabilities—some rated critical—in Oracle Forms and Oracle Reports, two widely deployed enterprise-facing products.

      Red-Database-Security GmbH, a company that specializes in Oracle security audits, warned that the most serious flaw could allow a malicious hacker to use a Web browser to overwrite any file on a vulnerable application server.

      Alexander Kornbrust, founder and CEO of Red-Database-Security, said three of the flaws are deemed “critical” because of the high risk they present to businesses using the affected products.

      In an interview with Ziff Davis Internet News, Kornbrust said he decided to publicly release the information after waiting more than 700 days for Oracle to address the issues.

      /zimages/3/28571.gifClick here to read more about Oracle recently releasing a set of 49 patches.

      Kornbrust said he was expecting to find the patches in Oracles scheduled July release of “Critical Patch Updates” because of the severity and the widespread deployment of Oracle Forms and Oracle Reports.

      Oracle Forms is a component of the Oracle Developer Suite while Oracle Reports is the companys enterprise reporting tool.

      The affected products feature prominently in the Oracle Application Server and are also used in the Oracle E-Business Suite.

      “Oracles behavior not fixing critical security bugs for a long time is not acceptable for their customers,” Kornbrust said, warning that long delays in releasing patches “put their customers in danger.”

      “At least one of these vulnerabilities can be abused from any attacker on the Internet,” he added.

      Kornbrust said he notified the informed the Oracle Security Team three months ago of his plan to publish the bug details if fixes were not including in the July batch of patches.

      “I know that Oracle products are complex and a good patch quality needs some time. Thats why I offered Oracle additional time if three months were not sufficient for fixing the bugs. Oracle never asked for additional time,” he said.

      “I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories,” he added.

      Kornbrust, who worked for several years at Oracle Germany, Oracle Switzerland and IBM Global Services as a consultant, said he was not disappointed, but not surprised, that the flaws were not patched.

      “This is very typical of the way Oracle deals with security. They take ages to fix serious bugs. Weve had this problem with Oracle for many years,” he declared.

      /zimages/3/28571.gifRead more here about Oracles previous delay in releasing patches.

      Oracle has been heavily criticized in the past for being slow to address critical security flaws.

      Last summer, at the BlackHat briefings in Las Vegas, researchers pushed the envelope by releasing details on more than two dozen security holes in Oracle products that had not been fixed.

      At the time, Oracle confirmed that it was aware of the vulnerabilities—some of them “high risk”—for several months.

      The public relations fallout from that incident prompted Oracle to shift to a quarterly patch cycle, in which four “Critical Patch Updates” will be posted every year.

      But it appears the company is still struggling to deal with vulnerabilities that are reported by private researchers.

      According to Kornbrusts advisories, Oracle customers can apply pre-patch workarounds to get temporary protection.

      The flaws range from cross-site-scripting, information disclosure, file overwrite and the ability to run OS commands on vulnerable application servers.

      Earlier this month, Oracle released a fix for an incomplete database server patch after a private security research outfit discovered that the underlying vulnerability was never addressed.

      That patch came almost a month to the day after David Litchfield, managing director at U.K.-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention.

      /zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×