• silicon.com
• Technology
• Security

By Joey Gardiner, 15 March 2002 12:40

NEWS Internet security watchdog Cert has issued an advisory listing multiple vulnerabilities in Oracle's "unbreakable" database and application server software. The vulnerabilities include so-called buffer overflow problems that could allow hackers to run arbitrary programmes, launch denial of service attacks and access confidential information. The warning - from probably the world's most respected internet security body - is a body blow to Oracle, which has been marketing its products as "unbreakable" to lure customers away from Microsoft. The Cert advisory is the culmination of concerns many in the security industry have been voicing for months that Oracle systems could not live up to their unbreakable billing. Indeed the advisory is based on a presentation given by NGSSoftware at the annual Black Hat IT security conference in February. Cert warns users of 37 separate security holes of varying seriousness, including one flaw that potentially allows an arbitrary user to log on to the database without any authentication. Pete Finnegan, Oracle security expert for UK security firm Pentest, said there was no known patch for this vulnerability. He told silicon.com: "Oracle have created a workaround, but this is not really good enough in the long term. The problem is it's at a fundamental level in the database so is very difficult to tackle." Finnegan did add that Oracle had addressed the concerns highlighted by the Cert advisory, but criticised the firm for being slow to react. The flaws affect the Oracle 8i and 9i databases, and the 9i Application server. Oracle has been under the security spotlight since CEO Larry Ellison stood up and declared the new 9i database "unbreakable" last autumn at Comdex. The advisory is a double whammy for Oracle which also today issued disappointing results showing profits down sharply. Oracle refused to provide a spokesman to comment on the story as it said the vulnerabilities were not new. However, in a written statement it said: "No Oracle customers have reported issues stemming from these bugs and information is posted for customers and OTN members on Oracle MetaLink and http://otn.oracle.com/deploy/security/alerts.htm " Worried users can also find the Cert advisory at: http://www.cert.org/advisories/CA-2002-08.html.