Oracle warns of security flaw in 9i database

IDG News Service - Database company Oracle Corp. is warning customers about security holes in versions of its Oracle9i Database Server.
Earlier this week, the company released a security alert (download PDF) and a software patch to fix "a set" of buffer overflows in the XML Database (XDB) component of Oracle9i. The XDB enables Oracle customers to have queries to the Oracle database returned in XML format.
The vulnerability affects Oracle9i Database Server Release 2. Customers running Release 1 or earlier versions of the 9i Database Server aren't affected, the company said.
A "knowledgeable and malicious" Oracle user could exploit the vulnerability to launch a denial-of-service attack that disrupts the database server's operation or take control of an active user session on the database server, Oracle said.
Once executed, the buffer overflows would give an attacker "total control" over the data stored in the database, enabling him to copy, alter or delete it, according to David Litchfield, a security researcher at Next Generation Security Software Ltd. in Surrey, England.
On certain operating systems, such as Microsoft Corp.'s Windows, the vulnerability would also give attackers total control over the machine running the database server, Litchfield said.
No user account or password would be necessary to exploit a vulnerable 9i server as long as the file transfer protocol (FTP) and HTTP servers are enabled on the 9i XDB.
Those services are installed and enabled by default on 9i database servers and can't be disabled individually, Oracle said.
In one case, a buffer-overflow flaw in code used to accept log-ins to the FTP and HTTP servers allows attackers to compromise the database server by submitting extra-long user name and password combinations, Litchfield said.
Oracle called anonymous attacks from the Internet "unlikely," noting that the database server would have to be accessible directly to the public Internet without a firewall or intervening server.
The vulnerability is highly susceptible to attack from within a corporate intranet, Oracle said. However, given the central role that most database servers have in corporate IT, the distinction between remote and insider attacks is misleading, Litchfield said.
"If people are reading that and saying, 'We're not vulnerable to an Internet attack, so I'm not going to be speedy and patch this,' then Oracle is sending out the wrong vibes," he said.
"If you're an Oracle shop and you're using 9i on your public Web site, attackers can gain control of what's public and then bounce attacks inside. That's what they do," Litchfield said.
Both Oracle and Litchfield advised affected customers to apply the software patch supplied by Oracle as soon as possible.
Although Oracle said there were no interim work-arounds that could be used before the patch is applied, Litchfield said that customers who aren't using the XDB features could disable XDB by modifying their 9i Database Server configuration.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.