Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] US government and security firms warn of critical Oracle flaws

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] US government and security firms warn of critical Oracle flaws
Date: Fri, 3 Sep 2004 05:14:48 -0500 (CDT) 
http://www.techworld.com/security/news/index.cfm?newsid=2172

By Paul Roberts
IDG news service
03 September 2004

The US government's Computer Emergency Response Team (US-CERT) and
software security companies have issued warnings about a number of
security vulnerabilities in versions of Oracle's software.

US-CERT has issued an alert citing several security flaws in Oracle
products that could be used to shut down or take control of vulnerable
systems running the software or to corrupt or steal data from the
Oracle Databases.

The security holes affect a number of Oracle products, including
versions of its 8i, 9i and 10g Database, Application Server and
Enterprise Manager software, according to a bulletin posted by Oracle,
which also released a patch for the vulnerabilities.

Few details of the vulnerabilities were available from Oracle or other
companies. Oracle said that the holes in its Database Server and
Application Server were rated "high" and that exploiting some required
network access, but not a valid database user account. Holes in the
Enterprise Manager were rated "medium," by Oracle and required both
network access to the vulnerable machine and a valid user account to
take advantage of, Oracle said.

According to an alert issued by Next Generation Security
Software(NGSS) [1], the vulnerabilities include SQL injection attacks,
in which attackers inject malicious code into Web-based forms and
other features that are used to generate Web content dynamically,
denial of service attacks and buffer overflows, in which malicious
code is placed on a vulnerable system by exceeding an area of a
vulnerable computer's memory that is allocated for use by a software
program.

NGSS is withholding details about the vulnerabilities for three months
to give Oracle database administrators the time to test and patch
vulnerable systems.

Oracle "strongly" recommends that customers apply the patch, noting
that there is no work-around that addresses the new security
vulnerabilities.

[1] http://www.nextgenss.com/advisories/oracle-01.txt



_________________________________________
Donate online for the Ron Santo Walk to Cure Diabetes - 
http://www.c4i.org/ethan.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] US government and security firms warn of critical Oracle flaws, InfoSec News <=
Previous by Date:  [ISN] New York presents wireless security challenge for RNC, InfoSec News
Next by Date:  [ISN] Incheon Airport Vulnerable to Hackers, InfoSec News
Previous by Thread:  [ISN] New York presents wireless security challenge for RNC, InfoSec News
Next by Thread:  [ISN] Incheon Airport Vulnerable to Hackers, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]