NEWS Oracle has issued a warning to customers using the most recent version of its ecommerce program of a flaw that puts their systems at risk.
In a terse but strongly worded advisory released to customers last week, Oracle said a software flaw in its Oracle 11i E-Business Suite and its Oracle Applications 11.0 could let an attacker take control of the database that powers the programs.
"Risk of exposure is high, as any user with browser access and specialised knowledge can exploit" the flaw, Oracle said in the advisory. The company would not provide details. Oracle has released a patch for the problem and urged customers to update their systems.
Security information provider Secunia rated the vulnerability as "highly critical," its second highest rating.
The vulnerability was discovered by Stephen Kost, CTO for Integrigy, a company focused on creating software to secure critical corporate applications. Integrigy's own advisory agreed with Oracle's on the ease with which the flaw could be exploited.
"Since attacks can be specially crafted for Oracle Applications and an attack may only be a single [HTTP request], successful attacks can be easily designed that will evade most intrusion detection and prevention systems," Integrigy said in its advisory.
A year ago, the Integrigy also published information on two other flaws in the same Oracle product.
