We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Not so 'unbreakable'?

Security holes found in Oracle software

Despite advertising claims by Oracle that its Oracle9i database is 'unbreakable', a UK security firm this week said it had found security holes in the software.

Several security flaws were discovered in the company's software, including one that could allow a hacker to gain access to Oracle's database server without a user ID or password.

The flaws were discovered by Next Generation Security Software in Sutton, Surrey. Oracle said yesterday that it was first informed about the flaws in December and has already made patches and workarounds available.

"No Oracle customers have reported issues stemming from these bugs," the company said in a statement.

David Litchfield, co-founder of Next Generation, gave details of the flaws on yesterday after announcing in December that he had discovered them.

Litchfield is expected to present a paper on his work at an upcoming Black Hat security conference, according to an Oracle spokeswoman.

The vulnerability that allows attackers to access a database server without authorisation also permits the attacker to execute a function in that software from a remote location. It affects Oracle9i and Oracle8i database servers running on all operating systems, according to the security advisory.

A second flaw could allow attackers to run arbitrary code or perform a DOS (denial of service) attack on the Oracle9i application server running on Sun's Solaris 2.6 operating system for Sparc processors, Microsoft's Windows NT and Windows 2000 Server operating systems, and HP's HP-UX version 11.0 operating system for 32bit operating systems, according to the advisory.

Another vulnerability enables an attacker to view the source code of JSPs (Java Server Pages) when they are downloaded from Oracle9i application servers running on all operating systems. Those files often display information such as the database user ID and password.

The security advisories are available at Next Generation Securities' website. Oracle has made patches and workarounds available online here.


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

Apple's 2014 highlights: the most significant Apple news of 2014

IDG UK Sites

Watch this heartwarming Christmas short by Trunk for composer John Rutter

IDG UK Sites

Ultimate iOS 8 Tips: 35 awesome and advanced tips for using iOS 8 on iPhone and iPad