Two exploits for vulnerabilities in Oracle applications
have been spotted by security experts.
Oracle released a critical patch update earlier this week to fix
36 security vulnerabilities in a range of products, including its
Database, Application Server, Enterprise Manager and Collaboration
Suite software.
But security firm Symantec has warned that two exploits
are already in the public domain. Kevin Hogan, a senior manager at
Symantec’s security response group, said the team was still
reviewing the 36 vulnerabilities. “A number are critical,” he
confirmed.
“There have been two exploits mentioned publicly – one on the
Bugtrack mailing list and the other posted by Red Database Security
group. Those exploits are related to two different
vulnerabilities.”
He said the Symantec team could not yet confirm whether the
exploits worked, but added, “They look legitimate, they look like
they do work.”
Hogan said, “Most of what we’ve seen so far does require valid
authenticated access [to exploit], but the vulnerabilities may
allow someone to get access at a higher level.”
He urged IT administrators to apply the patches as soon as
possible. “There’s a buffer overflow vulnerability that potentially
could allow access not just to the database but essentially to the
machine. There may be some more in there that do worse things,” he
said.
Oracle’s patch release, part of its quarterly cycle, follows
critical out-of-cycle security patches issued in February and
March.
Earlier this month, Oracle inadvertently alerted hackers to a
bug in its Server platform, accidentally publishing information
that could be used to exploit it. The information has since been
withdrawn.