Oracle Issues High-Severity Vulnerability Warning

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1405700,00.asp

By Brian Fonseca 
December 5, 2003 

Oracle this week issued a high severity security alert warning of 
Secure Sockets Layer (SSL) vulnerabilities that will require the 
immediate attention of managers to apply patch fixes on at-risk 
systems. 

According to an Oracle Security Alert issued on Thursday, the 
notification addresses SSL vulnerabilities detailed in CERT Advisory 
CA-2003-26 and SSL vulnerabilities detailed in several older Common 
Vulnerabilities and Exposures (CVE) Candidates. 

Through its alert, Redwood City, Calif.-based Oracle confirmed that a 
variety of its server products could be tampered with through 
vulnerabilities via the OpenSSL protocol. The flaws could potentially 
open the door for a remote hacker to cause a denial-of-service (DoS) 
attack, execute arbitrary code, and gain access privileges. 

Products concerned with the vulnerability include certain releases of 
Oracle9i Database Server, Oracle8i Database Server, Oracle9i 
Application Server, and Oracle HTTP Server. 

OpenSSL is a widely-used-open source deployment of the SSL and 
Transport Layer Security (TLS) protocols. The protocols offer 
encryption, authentication, and other security measures to HTTP and 
other network applications. 

To minimize risk, Oracle recommended that users apply patches since no 
workarounds exist that fully address the potential security 
vulnerabilities. Patches for the security vulnerabilities are 
available on Oracle's support Web site, MetaLink. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.