Database giant Oracle Corp. is warning customers about security holes in versions of its Oracle 9i Database Server.
On Monday the Redwood Shores, Calif. company released a software patch and Security Alert to fix “a set” of buffer overflows in the XML (Extensible Markup Language) Database component of Oracle9i. (Please see http://otn.oracle.com/.)
The XML Database (XDB) enables Oracle customers to have queries to the Oracle database returned in XML format.
The vulnerability affects Oracle 9i Database Server Release 2. Customers running Release 1 or earlier versions of the 9i Database Server are not affected, the company said.
A “knowledgeable and malicious” Oracle user could exploit the vulnerability to launch a denial of service (DoS) attack that disrupts the Database Server’s operation, or take control of an active user session on the Database Server, Oracle said.
Once executed, the buffer overflows would give an attacker “total control” over the data stored in the database, enabling them to copy, alter or delete it, according to David Litchfield of Next Generation Security Software Ltd. in Surrey, U.K.
On certain operating systems, such as Microsoft Corp.’s Windows, the vulnerability would give attackers total control over the machine running the database server, as well, Litchfield said.
No user account or password would be necessary to exploit a vulnerable 9i Server as long as the FTP (File Transfer Protocol) and HTTP servers are enabled on the 9i XML Database.
Those services are installed and enabled by default on 9i Database Servers and cannot be disabled individually, Oracle said.
In one case, a buffer overflow flaw in code used to accept logins to the FTP and HTTP servers allows attackers to compromise the database server by submitting extra long user name and password combinations, Litchfield said.
Oracle calls anonymous attacks from the Internet “unlikely,” noting that the Database Server would have to be accessible directly to the public Internet without a firewall or intervening server.
The vulnerability is highly susceptible to attack from within a corporate intranet, Oracle said.
However, given the central role that most database servers have in corporate IT, the distinction between remote and insider attacks is misleading, according to Litchfield.
“If people are reading that and saying ‘We’re not vulnerable to an Internet attack, so I’m not going to be speedy and patch this,’ then Oracle is sending out the wrong vibes,” he said.
“If you’re an Oracle shop and you’re using (Oracle) 9i on your public Web site, attackers can gain control of what’s public and then bounce attacks inside. That’s what they do,” Litchfield said.
Both Oracle and Litchfield advised affected customers to apply the software patch supplied by Oracle as soon as possible.
While Oracle said there were no interim workarounds that could be used before the patch is applied, Litchfield said that customers who are not using the XDB features could disable XDB by modifying 9i Database Server configuration.
