Oracle researcher announces high-risk flaws

By Shawna McAlearney, News Editor 20 Jul 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Concerned with the dangers posed by multiple vulnerabilities left unpatched by Oracle, a security researcher has gone public with information on six flaws -- three high-risk -- and recommends workarounds.

Alexander Kornbrust, a security researcher with Red-Database-Security GmbH, said he "tried to be fair" with Oracle Corp. when it came to releasing details on the flaws. But, he said, "more than 650 days [between 663 and 718 days] should be sufficient, even for a large company." He added that he told Oracle three months ago that he would announce these issues publicly if the company didn't produce a patch in its July roundup of fixes. Kornbrust also offered Oracle additional time to fix the flaws if it needed an extension, but the company never asked for additional time.

And he isn't the only one. It's widely known in the industry that a number of security researchers, including David Litchfield of NGSSoftware, have reported security issues to Oracle that remain unresolved -- in many cases more than a year later.

"Some people assume that there is a communication problem between Oracle and Red-Database-Security. That's possible," Kornbrust said. "But why has David Litchfield also 13 high and four medium security bugs open for almost a year? The next patch is scheduled for October 2005 -- more than one year. I heard similar complaints about slow patch process from iDefense and AppSecInc."

Other recent Oracle news Oracle issues patches but misses the mark again Flaws in Oracle's Metalink similar to 'Google hacking'

Kornbrust said the most serious of the flaws is the ability to overwrite any file via desname in Oracle Reports. It affects Oracle Reports 6.0, 6i, 9i and 10g. Oracle Reports, a component of the Oracle Application Server, is used in the E-Business Suite and many large customers use it as reporting tool for their enterprise applications. "An attacker could destroy Oracle Application Server on the Web by just modifying a URL," he added. "Vulnerable Reports servers can be found via Google Hacking. Within minutes an attacker could destroy several Application Servers." Click here for a workaround.

He also noted that two flaws that allow OS command execution are particularly serious.

A high-risk flaw in Oracle Forms Services, a component of the Application Server used in Oracle's E-Business Suite and a number of enterprise applications, can allow OS command execution, Kornbrust said. The vulnerability affects Oracle [Web] Forms 4.5, 5.0, 6.0, 6i, 9i and 10g. Click here for his workaround.

"Oracle Forms Services starts forms executables [*.fmx] from any directory and any user on the application server. These forms are executed as user Oracle or System [Windows]," Kornbrust wrote in the advisory. "An attacker able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav, SMB, Webutil, SAMBA, NFS, FTP, etc. By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user."

Another high-risk flaw can allow an attacker to run any OS command via unauthorized

Sound off! Share your thoughts on what's going on with Oracle that has prevented it from patching flaws that are up to two years old.

Oracle Reports. It affects Oracle Reports 6.0, 6i, 9i and 10g. Click here for his workaround.

The advisory states: "Oracle Reports starts reports executables [*.rep or *.rdf] from any directory and any user on the application server. These reports are executed as user Oracle or System [Windows]. An attacker able to upload a specially crafted reports executable to the application server is able to run any OS command or read and write text files on the application server [e.g. wdbsvr.app containing Oracle passwords]. By using the report parameter with an absolute path it is possible to execute reports executables from ANY directory and ANY user."

The other flaws are less severe and include two medium-risk information disclosure flaws; one in desformat and another in customized parameters. The remaining low-risk cross-site scripting flaw affects Oracle Reports.

"Customers should read the advisories carefully, try to understand the problem(s) and try to implement the workarounds on their test system first," Korbrust recommended. "If everything is working they should implement these workarounds on their production system.

"Customers should also ask Oracle why does it take so long to fix security issues," Kornbrust concluded. "Is Oracle's security team too small to handle all these issues?"

Tags: Database Security Management,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management IBM to acquire database security firm Guardium What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Database Security Management Research Security Patch Management What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary