Oracle patches SSL server bugs

Oracle Corp. has issued a security alert and software patches for a set of serious vulnerabilities in the security protocols used by some of its server products.

The flaws affect certain versions of Oracle’s 8i and 9i Database Server, Oracle 9i Application Server, and versions 8 and 9 of the Oracle HTTP Server, according to the alert dated Dec. 4.

Any client that can access an affected Oracle server could exploit the vulnerabilities, according to the alert, which characterizes users’ risk of exposure from the vulnerability as “high.” Oracle “strongly recommends” that users apply patches for these vulnerabilities and said there were no alternate workarounds to correct the issues.

The flaws exploit the Abstract Syntax Notation 1 (ASN.1) syntax notation that is used by the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, which are widely used for exchanging data securely on the Internet.

“A lot of the problems have to do with the way that ASN.1 handles purposefully badly constructed data,” said Art Manion an Internet security analyst with Carnegie Mellon’s Computer Emergency Response Team (CERT) Coordination Center in Pittsburgh, Pa.

By submitting data that was “purposefully badly constructed,” a malicious client could theoretically gain control over certain servers running SSL or TLS software, Manion said. “In a worst case scenario, a malicious client, using a specially crafted client certificate, could execute arbitrary code on a vulnerable server,” he said.

Though the exploit is technically possible it has not yet been used by attackers, Manion said. “These vulnerabilities aren’t so dead easy to exploit,” he said.

The vulnerabilities were originally discovered by researchers at London’s National Infrastructure Security Coordination Center and then documented in a CERT advisory on Oct. 1, 2003, Manion said.

Oracle could have reduced the risk presented by these bugs had it removed certain features from the OpenSSL software libraries included with its servers, according to Thor Larholm, a senior security researcher with PivX Solutions LLC, a network security consultancy based in Newport Beach, Calif.

“Oracle…should have done more to tailor the available functionality in the libraries they included, as some of the vulnerabilities in OpenSSL which Oracle subsequently became vulnerable to (are) not even used by Oracle itself,” he said.

The vulnerabilities have affected a wide variety of software that employs the SSL and TLS protocols, including Oracle’s, he said.

An Oracle spokesperson was unavailable for comment Monday.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now