[ISN] Oracle Issues High-Severity Vulnerability Warning

From: InfoSec News (isn@private)
Date: Mon Dec 08 2003 - 02:26:42 PST

  • Next message: InfoSec News: "[ISN] Diverse skills needed for CSO function, group says"

    http://www.eweek.com/article2/0,4149,1405700,00.asp
    
    By Brian Fonseca 
    December 5, 2003 
    
    Oracle this week issued a high severity security alert warning of 
    Secure Sockets Layer (SSL) vulnerabilities that will require the 
    immediate attention of managers to apply patch fixes on at-risk 
    systems. 
    
    According to an Oracle Security Alert issued on Thursday, the 
    notification addresses SSL vulnerabilities detailed in CERT Advisory 
    CA-2003-26 and SSL vulnerabilities detailed in several older Common 
    Vulnerabilities and Exposures (CVE) Candidates. 
    
    Through its alert, Redwood City, Calif.-based Oracle confirmed that a 
    variety of its server products could be tampered with through 
    vulnerabilities via the OpenSSL protocol. The flaws could potentially 
    open the door for a remote hacker to cause a denial-of-service (DoS) 
    attack, execute arbitrary code, and gain access privileges. 
    
    Products concerned with the vulnerability include certain releases of 
    Oracle9i Database Server, Oracle8i Database Server, Oracle9i 
    Application Server, and Oracle HTTP Server. 
    
    OpenSSL is a widely-used-open source deployment of the SSL and 
    Transport Layer Security (TLS) protocols. The protocols offer 
    encryption, authentication, and other security measures to HTTP and 
    other network applications. 
    
    To minimize risk, Oracle recommended that users apply patches since no 
    workarounds exist that fully address the potential security 
    vulnerabilities. Patches for the security vulnerabilities are 
    available on Oracle's support Web site, MetaLink. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 08 2003 - 04:55:20 PST