http://news.com.com/2100-1009_3-5053714.html By Robert Lemos Staff Writer, CNET News.com July 24, 2003 Database maker Oracle warned customers on Wednesday of three new flaws in its products and reiterated its warning to businesses of a fourth flaw that uses the company's application server. The two most serious vulnerabilities were in the firm's E-Business Suite, Oracle's set of server applications for managing everything from accounting to Intranets. Both were given the highest of three threat ratings assigned by Oracle to its products' vulnerabilities. "Our rating system is based upon likelihood of exploitation and risk of damage if the issue were exploited," said John Heimann, director of security product management for Oracle. "Either of these issues is exploitable and could result in damage if exploited." Oracle has issued advisories and patches on all four vulnerabilities [1]. The first E-Business Suite vulnerability, caused by a set of unsecured Java server pages, could allow any user to view the product's configuration and host-system information. The second flaw, a buffer overflow, could lead a component of the suite to crash and potentially allow an attacker to run code on the system. The flaw in the company's database server could allow an attacker to execute code against the system--but only if the person already has database-administrator rights to the system. The main concern with this type of an attack is that a company insider could gain a higher level of privilege on the server. Oracle also reiterated a warning about several flaws in the application server that could allow people to read files or to look at the source code of Java server pages. [1] http://otn.oracle.com/deploy/security/alerts.htm - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 01:30:50 PDT