Wednesday, January 26, 2022

Security firm reports vulnerability in Oracle8, 8i

A security firm on Thursday reported finding vulnerabilities in Oracle Corp.’s 8 and 8i database products which it said potentially could provide attackers with full access to the database, allowing them to create, delete, or modify information.

The Covert Labs division of PGP Security, which itself is a division of Network Associates Inc., issued two advisories Wednesday night, both pertaining to Oracle’s TNS (Transparent Network Substrate). The TNS Listener, which is used to establish and maintain remote communications with Oracle database services, is vulnerable to a buffer overflow, which could allow a remote user to execute malicious code on the database server, Covert Labs said in its advisory.

“This is no more difficult (to cause) than most normal buffer overflows,” Jim Magdych, security research manager for PGP Security said. “It’s probably just a matter of time before someone releases a script to take advantage of it.”

A second vulnerability in TNS allows a remote user to mount a denial of service attack against any Oracle service relying on the Net8 protocol, Covert said in a second advisory. Services that make use of the protocol include TNS Listener, Oracle Name Service and Oracle Connections Manager, Covert said. TNS is designed to provide a single application interface to all industry-standard networking protocols.

Oracle said it was aware of the vulnerabilities and has already issued a patch. “All software has bugs, and we immediately put up a patch,” an Oracle spokesperson said. The spokesperson declined to comment on the severity of the security holes.

The patches are available at http://metalink.oracle.com under bug numbers 1489683 and 1656431.

PGP Security, in Santa Clara, Calif., can be reached at http://www.pgp.com/. Oracle, in Redwood Shores, Calif., can be reached at http://www.oracle.com/.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada

After being all-digital last year, the Consumer Electronics Show is back in Las Vegas for 2022. Find all the latest news and announcements from the showroom floor at CES 2022.

Related Tech News