Multiple critical flaws identified in Oracle

By Shawna McAlearney, News Writer 04 Aug 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Thirty-four vulnerabilities -- the majority of them critical -- have been identified in multiple versions of Oracle's database server.

"Most of the flaws are critical," said David Litchfield, a researcher at UK-based NGSSoftware, whose company discovered the flaws. "One allows an attacker to gain control of the database server without a userID or password. Others allow low-privileged users (i.e. those that do have a userID and password) to gain complete control of the database server."

Litchfield discussed the vulnerabilities in very broad terms at last week's Black Hat Briefings in Las Vegas. He refused to provide specific detail on the flaws because Oracle hasn't released patches yet. Generally, the flaws have to do with the Procedural Language/Structured Query Language and its triggers.

10g, 8i and 9i are all vulnerable so anyone running any of these versions of Oracle should pay attention when the patches come out. David Litchfield researcher, NGSSoftware

PL/SQL is Oracle's extension to standard SQL and is programmable like T-SQL in the Microsoft world, said Litchfield. It's used to create stored procedures, functions, packages (collections of procedures and functions), triggers and objects, and extends external procedure functionality.

PL/SQL executes with the privileges of the definer; a procedure owned by SYS executes with SYS privileges. A procedure owned by SYS but called by SCOTT executes with the privileges of SCOTT (analogous to Suid programs in the *nix world). It acts as a proxy, passing requests to the database server and allowing PL/SQL to execute inside the database server.

To protect against PL/SQL injection, Litchfield recommends using BIND variables and validating input.

"10g, 8i and 9i are all vulnerable so anyone running any of these versions of Oracle should pay attention when the patches come out," Litchfield said. "Oracle 7 is also vulnerable but is no longer supported by Oracle so no patches for this version will be made available."

Tags: Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary