resource center
  See your link here
|
Subscribe to Computerworld IDG News Service -
Oracle Corp. and a security researcher are trading barbs over a vulnerability in the company's software that has gone unpatched since it was discovered in October.
Oracle is warning its customers not to use a work-around written by David Litchfield for a security vulnerability (see "Zero-day Oracle hole leads to third-party work-around"), saying it could break Oracle's software. Litchfield, managing director of Next Generation Security Software Ltd. in Sutton, England, said he posted the fix on the BugTraq mailing list on Wednesday after warning Oracle about the dangers the vulnerability posed.
Oracle was notified of the work-around before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said.
"We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said.
Oracle has issued several patches for the vulnerability over the past four years, none of which worked, Litchfield said Friday.
The vulnerability affects Oracle Application Server, Oracle Internet Applications Server and Oracle HTTP Server. The vulnerability lies with the PLSQL gateway, a bit of code that allow Web-based users to interact with PLSQL applications in the back-end database server, Litchfield said. The gateway passes a user request to the back-end database server and executes there, he said.
"Someone can come in off the Internet over the Web without a user ID or password and interact with the back-end database server, so it goes through all the firewalls," Litchfield said. "This is critical."
The fix is "trivial" and he doesn't understand why a patch was not included in Oracle's Critical Patch Update last week. When a fix wasn't issued, Litchfield said he thought, "Well, you know, I'll do it then. ... It's not difficult."
But Harris contested that assumption. "Compared to some others, this one is extremely difficult to fix and test it thoroughly," he said.
Oracle prioritizes vulnerabilities as far as patching, Harris said. So far, no exploit code has been released. If exploit code is released, Oracle could push out a quick one-time emergency patch, Harris said. The next patching round is scheduled for April, and whether this vulnerability is fixed will depend on whether there are other more pressing ones, he said.
Nonetheless, Harris assailed Litchfield's action.
"By just revealing what he has in this work-around, it definitely is a very strong starting point for any malicious hacker... to try and understand the vulnerability and produce
IDG.net
Mitigating Litigation Risk with Email Management Tools
Does your company have an email retention policy that protects it when litigation occurs? IDC discusses effective email retention policies and the role...
Managing And Protecting Your Ever Increasing Mobile Assets
Learn best practices for desktop and application virtualization, computer security, and computer life-cycle management....
Protecting Content During Business Disruption: Are You Covered?
Learn how ECM is helping Tulane University and the 13th Judicial Circuit Court implement disaster readiness programs....
Why Compliance Pays
This OnDemand webcast explores the relationship that firms with best compliance records have higher revenue, greater customer retention, lower financial losses from data...
Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
How do organizations pass their PCI DSS audits yet still suffer security breaches? Paying attention to PCI DSS checklists only partially secures the...
Best Practices for Managing Business Risks from the Use of IT
(Source: Symantec) Based on exhaustive benchmarks conducted by the IT Policy Compliance, this session highlights the relationship between business risks and use of...
Authentication as a Service by Forrester Research
Authentication-as-a-Service: understand the benefits of two factor authentication and the best ways to implement it....
Sun OpenSSO Enterprise Webinar
(Source: Sun) This webinar replay discusses Sun OpenSSO Enterprise innovation--the single, open-source solution that helps your business solve the challenges around internal access...
Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
Since the adoption of SOX, much has been learned about IT compliance. Discover how to make SOX efforts more effective in "Sustaining Sox...
Agile Enterprise Content Management (ECM) for Rapid ROI
(Source: IBM) Content rich business processes are a core feature of daily operations at just about any organization today. Very often these essential...
Sign up to receive updates on the latest Security resources
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDC
IDG
IDG Connect
IDG Knowledge Hub
IDG TechNetwork
IDG Ventures
IDG.net
InfoWorld
ITwhitepapers
ITworld
JavaWorld
LinuxWorld
Macworld
Network World
PC World
The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission ofComputerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc. |
