[ISN] DHS Issues Oracle Warning

From: InfoSec News (isn@private)
Date: Fri Jun 11 2004 - 03:20:38 PDT

  • Next message: InfoSec News: "[ISN] Shortage of computer security experts hampers agencies"

    http://www.fcw.com/fcw/articles/2004/0607/web-oracle-06-10-04.asp
    
    By Florence Olsen 
    June 10, 2004 
    
    Homeland Security Department officials used the National Cyber Alert 
    System this week to warn users of critical security vulnerabilities 
    discovered in Oracle Corp.'s E-Business Suite 11i and Oracle 11 
    applications. 
    
    The DHS alert warned that unauthorized but knowledgeable persons with 
    Web browser access to unpatched versions of the Oracle software can 
    exploit the vulnerabilities to execute destructive structured query 
    language procedures inside the applications.
    
    Oracle has provided a patch that users can download to close the 
    security holes for the software versions named in the alert. Earlier 
    versions have not been tested for the vulnerability because Oracle is 
    no longer providing patches for the older versions.
    
    Applications making the vulnerability list include Oracle E-Business 
    Suite 11i and 11.5.1 through 11.5.8 and all releases of Oracle 11 
    applications. Oracle E-Business Suite Release 11.5.9 and later 
    versions are not vulnerable.
    
    According to Integrigy Corp.'s Stephen Kost, a security expert who 
    discovered the vulnerabilities, the unpatched Oracle database 
    applications are open to malicious exploits known technically as SQL 
    injection attacks. 
    
    The DHS alert warns that "exploitation may lead to compromise of the 
    database application, data integrity or underlying operating system." 
    No operating system is immune. 
    
    Oracle databases and applications are widely used throughout the 
    federal government. The Energy Department's Sandia National 
    Laboratories and NASA's Jet Propulsion Laboratory, among others, use 
    the Oracle E-Business Suite for managing their business operations.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)
    



    This archive was generated by hypermail 2b30 : Fri Jun 11 2004 - 05:22:30 PDT