A security research firm has reported details of six
vulnerabilities in products from Oracle that were not fixed in the
supplier’s last round of patches.
Oracle last week issued fixes for almost 50 vulnerabilities in
its products as part of its quarterly patching cycle, but
Red-Database-Security has published details of additional flaws in
Oracle Reports, Oracle Forms and other Oracle software.
The security company said it had warned Oracle of the security
holes around two years ago and published details after growing
impatient over a lack of action by Oracle.
Along with details of the threats, the security company provided
users with workarounds to stop attackers exploiting the
vulnerabilities.
Three of the bugs were described by Red-Database-Security as
“high risk”. One allows a hacker to overwrite files in Oracle
Application Server (Oracle Reports is a component of this
solution).
Red-Database-Security said Oracle had acknowledged the threats.
Oracle is considering whether to issue patches in the future.
More details of the potential vulnerabilities can be found
at:
http://www.red-database-security.com/advisory/published_alerts.html