Channel News and Analysis - Channel Insider

 


Convergence:
The Next
Security Wave
The convergence of physical and logical security isn't a new idea, but largely untapped by solution providers. Groups like 1nService and PSA Security are bringing these largely segmented channels together for this $7 billion market opportunity.
 

Critical Flaw Uncovered in Oracle E-Business Suite, Applications

DATE: 2004-06-09
By Lisa Vaas

Article Rating:starstarstarstarstar / 0

Rate This Article:
Poor Best
Add This Article To:
A critical SQL injection vulnerability puts at risk Oracle Applications and E-Business Suite customers.

All Oracle Corp. Applications and most E-Business Suite customers are at high risk from multiple, critical SQL injection vulnerabilities. The vulnerabilities were uncovered by Stephen Kost from the security firm Integrigy Corp. An alert put out by Integrigy last week described the flaw as being exploitable by a remote user who can send a specially crafted URL to a Web server via a browser.

The risk level for the flaw is critical. Vulnerable versions include 11.5.1 through 11.5.8 of E-Business Suite. Release 11.5.9 is unaffected. Also at risk are both supported releases of Oracle Applications: 11.0 and 11i. All platforms are affected.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

According to Integrigy's alert, all customers are at risk, since Oracle Applications 11i installs code for all product modules. According to an advisory sent out by Oracle (click here for a .PDF of the advisory), risk to exposure is high, since the flaw can be exploited by any user with a browser and the knowledge of how to exploit the flaw.

The SQL injection vulnerability allows attackers to easily and effectively take over a database and application or to execute SQL statements. It works via the insertion of SQL code fragments into Web page input fields.

Customers who face the highest risk are those with Internet-facing application servers, because such servers are vulnerable to remote attack with a browser. According to Integrigy's alert, attacks can be customized for Oracle Applications.

An attack may take the form of one single HTTP Get or Post and can easily be designed to evade most intrusion detection and prevention systems.

There is no workaround for these vulnerabilities. Oracle has released a patch to correct the problems, available in Oracle Metalink Note ID 274375.1.

Check out eWEEK.com's Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page



Discuss Critical Flaw Uncovered in Oracle E-Business Suite, Applications
 
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Channel News and Analysis Articles          >>> More By Lisa Vaas
 



 
CHANNEL DEEP DIVES
CareersLinux and Unix
Computer NetworkingPrinters
SecuritySMB Partner
StorageSurveys
Solution BuilderMessaging/Collaboration
Dell ResellersMicrosoft Partners

 
 

SIGN UP FOR CHANNEL INSIDER NEWSLETTERS
Reliable, timely information on the business of technology. Sign up now.

RSS SUBSCRIPTIONS
XML
Add Channel News, Product Reviews, Trends and Analysis to your RSS newsreader or My Yahoo!

ZDE Services
> Ziff Davis White Paper Library

> Baseline ROI Calculators

> eWEEK Labs RFPs and Tools

 
CHANNEL RESOURCE CENTER
HP StorageWorks Scalable NAS is highly available, scalable network-attached storage for any industry solution. To learn how you can take full advantage of fault-tolerant NAS that seamlessly scales capacity and performance, visit: http://www.hp.com/go/scalablenas


Feature Video: What Can Green Do For You?
There are many ways that systems can be run faster or more efficiently, using less energy and thereby reducing costs. Watch now!
Microsoft-hosted solution offers you advanced customer relationship management capabilities without a major investment in IT and staffing.
Try It for free for 30 days!
 

 
   Sponsored Links     
 

  • Check Point Security Appliance Trade in Promotion
  • Increase efficiency with Dell PartnerDirect
  • Avoid the crash. Arm your Road Warriors with SSD
  • Get FREE online training modules from BlackBerry.
  • Bundles with room to grow and room to go!
  • Free BlackBerry(R) Training Tour. Win a Smartphone.
  • Request a Novell/Microsoft deployment kit.
  • Improve the customer experience with Dialogue
  • Meet the demand for green technology with HP desktops
  • Download the “Best Antivirus Product of 2007”


    •    Channel Insider      Contact Us | Advertise | Site Map | VARs | System Builder
    eWEEK Quick LInks Storage Devices | Networking Security | Network Infrastructure | Wireless Networking | Database Management Systems | PC Desktops | Web Programming | Enterprise Solutions Linux Operating Systems | Mac Operating System | Mobile Messaging | Internet Telephony Microsoft Windows News | Google Watch | IBM Watch

    Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
    Tech RSS Feeds | White Papers | ROI Calculators | Tech Video

    Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
    eWEEK | Enterprise Network Security | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
    Publish | Security IT Hub | Strategic Partner | Web Buyer's Guide | Windows for Devices

    Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
    Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | igrep

    Use of this site is governed by our Terms of Use and Privacy Policy

    Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. Channel Insider is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise, Inc. is prohibited.