Oracle is warning customers to apply software patches it
released in August because of the availability of malicious code
that can exploit unpatched vulnerabilities in its
software.
The company said it has received notification that there are
published exploits for "some of the issues" addressed in a recent
security alert. The company did not provide information about the
exploits.
The security holes affect a number of Oracle products, including
versions of its 8i, 9i and 10g Database, Application Server and
Enterprise Manager software, according to a bulletin posted by
Oracle on 31 August, which also released a patch for the
vulnerabilities.
The exposure for vulnerabilities in Oracle's Database Server and
Application Server was described as "high" because attackers could
take advantage of the flaws with network access, but without a
valid user account and password.
The hole in Enterprise Manager was rated a "medium" risk,
because attackers would need both access to the network running the
Enterprise Manager and a valid operating system user account on the
machine running Enterprise Manager, Oracle said.
In September, the US government's Computer Emergency Response
Team issued an alert about the flaws, noting that they could be
used to shut down or take control of vulnerable systems running the
software or to corrupt or steal data from the Oracle databases.
Oracle strongly recommends affected customers apply the software
patches "without delay".
Paul Roberts writes for IDG News Service