Oracle has issued a security alert and software patches
for a set of serious vulnerabilities in the security protocols used
by some of its server products.
The flaws affect certain versions of Oracle's 8i and 9i Database
Server, Oracle 9i Application Server, and versions 8 and 9 of the
Oracle HTTP (Hypertext Transport Protocol) Server.
Any client that can access an affected Oracle server could
exploit the vulnerabilities. The alert characterises users' risk of
exposure from the vulnerability as "high".
Oracle "strongly recommends" that users apply patches for these
vulnerabilities and said there were no alternative workarounds to
correct the issues.
The flaws exploit the ASN.1 (Abstract Syntax Notation 1) syntax
notation used by the SSL (Secure Sockets Layer) and TLS (Transport
Layer Security) protocols, which are widely used for exchanging
data securely on the internet.
"A lot of the problems have to do with the way that ASN.1
handles purposefully badly constructed data," said Art Manion an
internet security analyst with Carnegie Mellon's Cert (Computer
Emergency Response Team) Co-ordination Centre.
By submitting data that was purposefully constructed, a
malicious client could, theoretically, gain control over certain
servers running SSL or TLS software.
"In a worst case scenario, a malicious client, using a specially
crafted client certificate, could execute arbitrary code on a
vulnerable server," he said.
Although the exploit is technically possible it has not yet been
used by attackers.
The vulnerabilities were originally discovered by researchers at
London's National Infrastructure Security Co-ordination Centre and
then documented in a Cert advisory on 1 October.
Oracle could have reduced the risk presented by these bugs had
it removed certain features from the OpenSSL software libraries
included with its servers, according to Thor Larholm, a senior
security researcher with PivX Solutions, a network security
consultancy.
"Oracle should have done more to tailor the available
functionality in the libraries they included, as some of the
vulnerabilities in OpenSSL which Oracle subsequently became
vulnerable to [are] not even used by Oracle itself," he said.
The vulnerabilities have affected a wide variety of software
that employs the SSL and TLS protocols, including Oracle's.
The company's security alert can be found at
otn.oracle.com/deploy/security/pdf/2003alert62.pdf
Robert McMillian writes for IDG News Service