http://www.eweek.com/article2/0,4149,1405700,00.asp By Brian Fonseca December 5, 2003 Oracle this week issued a high severity security alert warning of Secure Sockets Layer (SSL) vulnerabilities that will require the immediate attention of managers to apply patch fixes on at-risk systems. According to an Oracle Security Alert issued on Thursday, the notification addresses SSL vulnerabilities detailed in CERT Advisory CA-2003-26 and SSL vulnerabilities detailed in several older Common Vulnerabilities and Exposures (CVE) Candidates. Through its alert, Redwood City, Calif.-based Oracle confirmed that a variety of its server products could be tampered with through vulnerabilities via the OpenSSL protocol. The flaws could potentially open the door for a remote hacker to cause a denial-of-service (DoS) attack, execute arbitrary code, and gain access privileges. Products concerned with the vulnerability include certain releases of Oracle9i Database Server, Oracle8i Database Server, Oracle9i Application Server, and Oracle HTTP Server. OpenSSL is a widely-used-open source deployment of the SSL and Transport Layer Security (TLS) protocols. The protocols offer encryption, authentication, and other security measures to HTTP and other network applications. To minimize risk, Oracle recommended that users apply patches since no workarounds exist that fully address the potential security vulnerabilities. Patches for the security vulnerabilities are available on Oracle's support Web site, MetaLink. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 04:55:20 PST