By Robert Lemos, 25 July 2003 06:19
NEWS Oracle is warning customers about three new serious security flaws in its products that could allow an attacker to run malicious code. The two most serious vulnerabilities were in the firm's e-business suite, Oracle's set of server applications for managing everything from accounting to intranets. Both were given the highest of three threat ratings assigned by Oracle to its products' vulnerabilities. John Heimann, director of security product management for Oracle, said: "Our rating system is based upon likelihood of exploitation and risk of damage if the issue were exploited. Either of these issues is exploitable and could result in damage if exploited." The first e-business suite vulnerability, caused by a set of unsecured Java server pages, could allow any user to view the product's configuration and host-system information. The second flaw, a buffer overflow, could lead a component of the suite to crash and potentially allow an attacker to run code on the system. The flaw in the company's database server could allow an attacker to execute code against the system - but only if the person already has database administrator rights to the system. The main concern with this type of an attack is that a company insider could gain a higher level of privilege on the server. Oracle also reiterated a previous warning about several flaws in the application server that could allow people to read files or to look at the source code of Java server pages. Oracle has issued advisories and patches on all four vulnerabilities. Robert Lemos writes for CNET News.com
In order to post a comment you need to be registered and logged in.
Log in or create your silicon.com account below