Oracle is urging users to download a patch immediately to plug security holes in its main database products, including...
its 8i, 9i and 10g systems. The potential flaws were confirmed by Oracle at the end of August but many firms have not responded quickly enough and Oracle said details of real-life exploits of the flaws are circulating on the internet. The US-based Computer Emergency Response Team published its own findings on the security holes last month, which relate to buffer overflow and SQL injection exploits, among other potential attacks. Cert said the flaws could be used to shut down or take control of vulnerable systems or corrupt or steal data from databases Oracle has not published full details of the holes in its products, but admitted that exploits now existed for "some of the issues". Oracle said the risk to its Database Server and Application Server systems was "high" because potential attackers can take advantage of the flaws with just network access but without the need for a valid user account and password. Oracle said the holes in Enterprise Manager are rated as "medium risk" because attackers would need access to the network and details of a user account running on the platform to exploit them.
Oracle systems that need patching
- Oracle Database 10g Release 1, version 10.1.0.2
- Oracle 9i Database Server Release 2, versions 126.96.36.199 and 188.8.131.52
- Oracle 9i Database Server Release 1, versions 184.108.40.206, 220.127.116.11 and 9.0.4
- Oracle 8i Database Server Release 3, version 18.104.22.168
- Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
- Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
- Oracle Application Server 10g (9.0.4), versions 22.214.171.124 and 126.96.36.199
- Oracle 9i Application Server Release 2, versions 188.8.131.52 and 184.108.40.206
- Oracle 9i Application Server Release 1, version 220.127.116.11
- Oracle's Collaboration Suite and E-Business Suite 11i contain some of the vulnerable components and are also affected.