Flaws without patches expose Oracle sites

Problems first reported two years ago

Written by James Murray and Dave Bailey

IT Week, 25 Jul 2005

A German security consultancy has disclosed details of several flaws in Oracle products first reported to Oracle two years ago. The move has reignited debate over bug disclosure and may encourage others to release details of unfixed flaws, potentially putting corporate systems at greater risk.

Alexander Kornbrust of Red Database Security (RDS), which released the details, said the flaws were reported to Oracle between July and September 2003, and were all confirmed.

Kornbrust said the flaws affect Oracle Reports and Forms, which are integrated into Oracle's Application Server and E-Business Suite. Three are rated by RDS as high risk and at least one would allow attackers to compromise systems via the internet, he added. Patches have yet to be released.

"Oracle's behaviour [in leaving flaws unfixed] is not acceptable. Oracle put [its] customers in danger," Kornbrust wrote in an RDS alert.

Oracle responded with a statement saying its policy is that "higher severity vulnerabilities are fixed as a priority over lower severity vulnerabilities". It added, "We are disappointed when any details of Oracle product security vulnerabilities are released before patches can be made available."

Security experts often argue against disclosure before patches are available, but opinion may be changing. "If the [vendor] isn't interested and doesn't seem to be acting [to fix the flaw] after a period of time maybe you should go public," said Adrian Davis, project manager at the Information Security Forum. However, Davis added that early disclosure has dangers if the details can be exploited by hackers.

In an email to IT Week, Ronan Miles, chairman of the Oracle User Group, said he would ask the database giant for a "full commentary" on the unfixed vulnerabilities. Although the group is against such early disclosure, Miles said it understood why RDS had released the information.

The flaws include weaknesses that would allow attackers to execute commands with system privileges, as well as file overwriting, information disclosure and cross-site scripting attacks.

  • Have your say
  • Send to a friend
  • Print this
  • Share

Tags:

reader comments

related articles

Interview: Patching needs good processes

Chris Andrew of patch management specialist PatchLink explains how third parties can help firms guard systems 14 Mar 2005

 

Patch bundles under fire

Do firms want to patch in their own time? 17 Feb 2005

Will you pass the access test?

Remediation techniques will stop insecure systems linking to networks, at a cost 24 Feb 2005

Windows Server pack advances

New release candidate for Windows Server 2003 16 Feb 2005

Oracle details plan for next-generation apps

Plans to link apps could mean cost-savings for firms 26 May 2005

Security

Zero-day Microsoft flaw already being exploited

Vulnerability published by Google researcher could allow remote code execution 16 Jun 2010

Security

Security experts highlight spear phishing dangers

Client-side vulnerabilities the biggest risk, warns Sans report 15 Sep 2009

Security

A week in security: Microsoft details Patch Tuesday

V3.co.uk rounds up the week's top security stories 10 Jul 2010

related white papers

today's top stories

Management

Financial IT job market recovery continues

Recruitment growth suggests IT budgets are increasing 30 Jul 2010

Communications

Satellite broadband touted as digital divide clincher

KA-SAT launch promises 10Mbit/s service for hard-to-reach locations 29 Jul 2010

Communications

Ofcom slams ISPs for exaggerated broadband speed claims

New code of practice for ISPs planned by the regulator 27 Jul 2010

Communications

Aerohive offers traffic light Wi-Fi monitoring

Firm promises simple 'red, yellow or green' system with Client Health Score tool 27 Jul 2010

Communications

Flaw in top wireless security protocol WPA2 uncovered

Disgruntled insiders could hack corporate wireless LAN 26 Jul 2010

> More news

Advertisement

Subscribe

How to achieve business and financial-system implementation success
A look at how organisations - regardless of size - can work towards successful business software installations and factors that determine the outcome.

Case study: Specsavers put customer care into focus
How Specsavers captured customer feedback at point of sale and incorporated the results into its CRM system.

Advertisement

Citrix

Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you thousands of white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

More available - click 'submit' to view

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

IT Salary Checker

  • Are you being paid what you are worth?
Check salary here

Advertisement

Latest poll

ICO to lean more heavily on public sector bodies

ICO to lean more heavily on public sector bodies

The ICO has said it will lean more heavily on public sector bodies to secure timely FOI responses, do you think this is:

View poll results

> More polls

Latest audio and video articles

picture of Jason HartVideo

Ethical hacker reveals the security secrets behind cloud computing

Jason Hart, Senior VP at Cryptocard, shows Computing just how easy it is to illegally gain access to corporate cloud services to wreak havoc and steal money. 29 Jun 2010

gartner logoVideo

Part 1: 2010 trends in SOA and Application Development and Integration

Gartner analyst Paolo Malinverno explores trends in SOA 29 Jun 2010

> More audio and video

Latest in-depth articles

Map of 3G coverageComment

The risks of selling off the 800MHz radio spectrum at the wrong price

It's a choice between revenue now or universal broadband later 30 Jul 2010

Luton Borough Council officesAnalysis

Local authority leads the way in digital backup technology

Luton Borough Council tells of the benefits of early adopter of VTL, data deduplication and virtualisation 27 Jul 2010

> More in depth articles

Primary Navigation