Oracle's 9i database is breakable, despite the company's claims of
total security, according to a south London security firm.
Next Generation Security Software has uncovered flaws in the
company's software, including one that could allow a hacker to gain
access to Oracle's database server without a user ID or password.
Oracle said that it was first informed about the flaws in December
and had already made available patches and workarounds.
"No Oracle customers have reported issues stemming from these
bugs," the company said in a statement.
The co-founder of Next Generation Security Software, David
Litchfield, gave details of the flaws on Wednesday (6 February)
after announcing in December that he had discovered them.
Litchfield is expected to present a paper on his work at a
forthcoming Black Hat security conference, according to Oracle.
The vulnerability that allows attackers to access a database server
without authorisation also allows the attacker to execute a
function in that software from a remote location. It affects
Oracle9i and Oracle8i database servers running on all operating
systems, according to the security advisory.
A second flaw could allow attackers to run arbitrary code or
perform a denial of service attack on the Oracle9i application
server running on Sun Microsystems's Solaris 2.6 operating system
for SPARC processors, Microsoft's Windows NT and 2000 Server
operating systems and Hewlett-Packard's HP-UX version 11.0
operating system for 32-bit operating systems, according to the
advisory.
Another vulnerability enables an attacker to view the source code
of Java Server Pages when they are downloaded from Oracle9i
application servers running on all operating systems. Those files
often display information such as the database user ID and
password.
The security advisories are available at Next Generation
Securities' Web site at
www.nextgenss.com/advisories
Oracle has made patches and workarounds available online at
http://otn.oracle.com/deploy/security/alerts.htm