Patching Oracle, IBM For The Holiday
A variety of flaws in leading database products need fixing; some also affect Oracle's application server.
Security experts at U.K.-based Next Generation Security Software brought tidings of security vulnerabilities in Oracle and IBM software in time for the Christmas holiday.
But both companies have issued patches and fixes to correct the issues.
The firm pointed to vulnerabilities in Oracle's Application Server and Database Server that may allow an intruder to gain unwanted access privileges. It also said IBM's DB2 Universal Database also suffers from buffer overflow flaws.
The Oracle flaws, which affect the Redwood Shores, Calif., company's 10g or 9i software, range from medium to high risk, said NGSSoftware's David Litchfield, in a report Thursday. Oracle has released patches for the openings.
Litchfield warned that a high-risk hole in Oracle 10g/9i Database Servers can allow an attacker to gain illicit privileges on the software. The flaw has been dubbed a "trigger abuse" vulnerability. While database triggers normally help maintain data integrity, several default triggers in Oracle can be abused, Litchfield said.
Litchfield said Oracle 10g Database has an "extproc" buffer overflow, a high-risk hole that takes advantage of Oracle's support for the PL/SQL programming language. Malicious users can execute external procedures via extproc.
Two medium-risk bugs also seize on extproc, which has been found to suffer from a directory traversal problem that allows attackers access to arbitrary libraries, as well as a local command execution flaw that could allow local users to run commands as an Oracle user.
Oracle 10g and 9i suffer from multiple PL/SQL injection vulnerabilities, the firm said. The code for PL/SQL procedures can be encrypted to trigger a buffer overflow. This exploit lets an attacker run code as the Oracle user.
A character conversion problem exists in Oracle 10g Application Server (AS), Litchfield said. The high-risk opening allows perpetrators to bypass PL/SQL exclusions and gain access to the database server. Windows and Linux are affected.
The Application Server is also prone to a ISQL*Plus load.uix file access opening. The Application Server installs ISQL*Plus. Once logged in, an attacker can use load.uix to read files on the server, said the security expert.
Lastly on the Oracle front, Litchfield said the 10g Oracle TNS Listener hole is vulnerable, allowing an intruder to trigger a denial of service attack of an operating system.
Oracle's application server and database weren't the only major infrastructure products Litchfield shone his spotlight on. He also found buffer overflows in IBM's DB2.
IBM has listed fixpacks for a DB2 "generate_distfile" buffer overflow for version 8.1/7.x. Finally, a "rec2xml" function in DB2, used to format a string in XML, is also susceptible to a buffer overflow, but IBM has also issued a fixpack for the issue as well.
Security firm iDefense also said IBM had patched an "invscout" local command execution vulnerability in some newer versions of its AIX operating system this week. According to an advisory it sent on Monday, the exploitation of the vulnerability could allow local attackers to gain increased privileges (although it would require a local account and a writable directory).
IBM issued fixes for AIX versions 5.1.0, 5.2.0 and 5.3.0 and urged customers to upgrade to these levels if they hadn't already.