[ISN] Oracle warns of three new flaws

From: InfoSec News (isnat_private)
Date: Thu Jul 24 2003 - 23:11:01 PDT

  • Next message: InfoSec News: "[ISN] Don't Spam This Deputy Minister"

    http://news.com.com/2100-1009_3-5053714.html
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    July 24, 2003
    
    Database maker Oracle warned customers on Wednesday of three new flaws
    in its products and reiterated its warning to businesses of a fourth
    flaw that uses the company's application server.
    
    The two most serious vulnerabilities were in the firm's E-Business
    Suite, Oracle's set of server applications for managing everything
    from accounting to Intranets. Both were given the highest of three
    threat ratings assigned by Oracle to its products' vulnerabilities.
    
    "Our rating system is based upon likelihood of exploitation and risk
    of damage if the issue were exploited," said John Heimann, director of
    security product management for Oracle. "Either of these issues is
    exploitable and could result in damage if exploited."
    
    Oracle has issued advisories and patches on all four vulnerabilities
    [1].
    
    The first E-Business Suite vulnerability, caused by a set of unsecured
    Java server pages, could allow any user to view the product's
    configuration and host-system information. The second flaw, a buffer
    overflow, could lead a component of the suite to crash and potentially
    allow an attacker to run code on the system.
    
    The flaw in the company's database server could allow an attacker to
    execute code against the system--but only if the person already has
    database-administrator rights to the system. The main concern with
    this type of an attack is that a company insider could gain a higher
    level of privilege on the server.
    
    Oracle also reiterated a warning about several flaws in the
    application server that could allow people to read files or to look at
    the source code of Java server pages.
    
    [1] http://otn.oracle.com/deploy/security/alerts.htm
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 01:30:50 PDT