Oracle fixes database, application server flaws

Oracle Corp. is patching four security flaws in its database software and two in its application server, the most serious of which could allow an attacker to take complete control of a system running the software, experts warned.

Most dangerous is a buffer overrun flaw in the Oracle.exe binary of Oracle’s database 9i Release 2, 9i Release 1, 8i version 8.1.7 and 8 version 8.0.6, according to Mark Litchfield, a security researcher with Next Generation Security Software Ltd. (NGSSoftware) of Sutton, England. Litchfield is credited by Oracle for discovering the flaw.

The flaw lies in the authentication process for the database. By supplying an overly long username, an attacker can overflow a stack-based buffer and load arbitrary code onto the system, allowing for a complete compromise, Litchfield wrote in a security advisory distributed Monday via the BugTraq mailing list.

An exploit can only be successful if a client application does not properly limit the data sent to the database, Oracle said in its security alert released last week. Litchfield in an interview on Tuesday agreed, but said “it is fairly simple to write your own Oracle authenticator.”

The other three flaws affecting the same versions of Oracle’s database product are also buffer overruns, but can only be exploited by a user who can log on to the database, mitigating the risk.

Oracle introduced two vulnerabilities in its 9i Application Server when it added in version 9.0.2 a feature called Web Distributed Authoring and Versioning (WebDAV) that turns the Web into a file sharing system, according to another alert from NGSSoftware also distributed on Monday.

The WebDAV feature is turned on by default, allowing attackers to anonymously upload files to the server. Furthermore, a flaw in a logging function of the feature is flawed. An attacker could take over the server by sending it a specially formatted string, according to NGSSoftware.

Oracle has patches available to fix all of the flaws in its database software for most operating systems, while patches for some platforms are still in the works. Application Server users are urged to turn off WebDAV or upgrade to 9.0.3 of 9i Application Server and apply a patch.

More information on all flaws and patch availability can be found on Oracle’s security Web site at