Database giant Oracle is warning customers about
security holes in versions of its Oracle 9i Database
Server.
The company released a software patch and security alert to fix
a set of buffer overflows in the XML Database component of
Oracle9i.
The XML Database (XDB) enables Oracle customers to have queries
to the Oracle database returned in XML format.
The vulnerability affects Oracle 9i Database Server Release 2.
Customers running Release 1 or earlier versions of the 9i Database
Server are not affected.
A "knowledgeable and malicious" Oracle user could exploit the
vulnerability to launch a denial-of-service (DoS)
attack which disrupts the Database Server's operation, or take
control of an active user session on the Database Server, Oracle
said.
Once executed, the buffer overflows would give an attacker
"total control" over the data stored in the database, enabling them
to copy, alter or delete it, according to David Litchfield of Next
Generation Security Software.
On certain operating systems, such as Microsoft's Windows, the
vulnerability would give attackers total control over the machine
running the database server as well, Litchfield said.
No user account or password would be necessary to exploit a
vulnerable 9i Server as long as the FTP (File Transfer Protocol)
and HTTP servers are enabled on the 9i XML Database.
Those services are installed and enabled by default on 9i
Database Servers and cannot be disabled individually.
In one case, a buffer overflow flaw in code used to accept
logins to the FTP and HTTP servers allows attackers to compromise
the database server by submitting extra-long user name and password
combinations, Litchfield said.
Oracle calls anonymous attacks from the internet "unlikely",
noting that the Database Server would have to be accessible
directly to the public internet without a firewall or intervening
server.
The vulnerability is highly susceptible to attack from within a
corporate intranet, Oracle said.
However, given the central role that most database servers have
in corporate IT, the distinction between remote and insider attacks
is misleading, according to Litchfield.
"If people are reading that and saying 'We're not vulnerable to
an internet attack, so I'm not going to be speedy and patch this,'
then Oracle is sending out the wrong vibes."
"If you're an Oracle shop and you're using [Oracle] 9i on your
public website, attackers can gain control of what's public and
then bounce attacks inside. That's what they do," Litchfield
said.
Both Oracle and Litchfield have advised affected customers to
apply the software patch supplied by Oracle as soon as
possible.
While Oracle said there were no interim workarounds that could
be used before the patch is applied, Litchfield said that customers
who are not using the XDB features could disable XDB by modifying
9i Database Server configuration.
Paul Roberts writes for IDG News Service