Oracle warns of three new flaws

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1009_3-5053714.html

By Robert Lemos 
Staff Writer, CNET News.com
July 24, 2003

Database maker Oracle warned customers on Wednesday of three new flaws
in its products and reiterated its warning to businesses of a fourth
flaw that uses the company's application server.

The two most serious vulnerabilities were in the firm's E-Business
Suite, Oracle's set of server applications for managing everything
from accounting to Intranets. Both were given the highest of three
threat ratings assigned by Oracle to its products' vulnerabilities.

"Our rating system is based upon likelihood of exploitation and risk
of damage if the issue were exploited," said John Heimann, director of
security product management for Oracle. "Either of these issues is
exploitable and could result in damage if exploited."

Oracle has issued advisories and patches on all four vulnerabilities
[1].

The first E-Business Suite vulnerability, caused by a set of unsecured
Java server pages, could allow any user to view the product's
configuration and host-system information. The second flaw, a buffer
overflow, could lead a component of the suite to crash and potentially
allow an attacker to run code on the system.

The flaw in the company's database server could allow an attacker to
execute code against the system--but only if the person already has
database-administrator rights to the system. The main concern with
this type of an attack is that a company insider could gain a higher
level of privilege on the server.

Oracle also reiterated a warning about several flaws in the
application server that could allow people to read files or to look at
the source code of Java server pages.

[1] http://otn.oracle.com/deploy/security/alerts.htm



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.