Oracle Warns of Critical Exploits

By Lisa Vaas  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

The company says critical technology vulnerabilities have been publicly exploited.

Critical Oracle Corp. technology vulnerabilities have been publicly exploited, the company advised in a recent security update that urged users to apply the patches contained in its Security Alert 68.

"Oracle is aware of public exploits (as indicated in the latest version of the alert) for several of the vulnerabilities, and more exploits may be created," the company said in the e-mail alert. "Security Alert 68 is a critical security update and should be applied as soon as possible."

The vulnerabilities were addressed in the Redwood Shores, Calif., company's first monthly patch rollup, which was released on Aug. 31. At the time this story was posted, Oracle had not returned phone calls seeking details of the exploits.

The vulnerabilities in question, however, included the potential for buffer overflow attacks, SQL injection techniques for gaining access to Oracle databases, and the ability for a remote attacker to take advantage of a known, default user account and password.

Other flaws allow databases to be exploited by regular users, who can crash the database or escalate privileges to administrator level. Multiple versions of Oracle's Database Server, Application Server and Enterprise Manager software are at risk.

Security experts and Oracle watchers are pricking up their ears as they spot message board posts such as this one that request further information on the bugs.

"If this increases or the information becomes more readily available, then some companies are going to have problems," said a Weblog entry posted by the Oracle security company PeteFinnigan.com Ltd. "Exploits are not just used by Internet-based hackers; they can also be used internally by employees."

Check out eWEEK.com's Database Center at http://database.eweek.com for the latest database news, reviews and analysis.

Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...