Oracle unbreakable? Yeah, wrong

There's a certain amount of glee in reports of security flaws found in Oracle's 9i database. And well there might be. The company last year began running ads saying "Unbreakable".

There’s a certain amount of glee in reports of security flaws found in Oracle’s 9i database. And well there might be. The company last year began running ads saying “Unbreakable”.

Boss Larry Ellison, meanwhile, seen on the Hauraki Gulf during the holidays aboard his super-boat, as good as invited every hacker on earth to prove him wrong during an address at Comdex in November. "The new version of Oracle is completely fault-tolerant. You can't break in," he declared. Yeah, right, his audience would have been thinking.

That was then. Now that a UK security specialist has found flaws in 9i, do you think Ellison has changed his tune? Not a bit of it. Last month when Microsoft declared “trustworthy computing” to be its 2002 goal, Ellison scoffed. "Microsoft isn't good at security. We're good at that and I don't think sending a memo is going to help.” By that stage Oracle had been informed of the 9i flaws, discovered in December, but Ellison was still feeling bold enough to keep up the bravado.

But whether Oracle is as good at security as Ellison is at making headlines is questionable. The popular perception might be that Oracle’s software is secure; that’s certainly the impression of one Auckland user. “I’ve poked my nose into many corners [of Oracle’s software] and it seems technically solid,” he told Computerworld last week.

According to a local company which does nothing but monitor security alerts, however, Oracle has been the subject of hundreds of security scares in the past couple of years. And even before Ellison’s Comdex boast, potential vulnerabilities were found in Oracle 8 and 8i which could provide attackers with full database access.

The Oracle 8 flaws were reported by the Covert Labs division of PGP Security, a division of Network Associates, and related to Oracle's TNS (Transparent Network Substrate). The TNS Listener, which is used to establish and maintain remote communications with Oracle database services, was vulnerable to a buffer overflow, which could allow a remote user to execute malicious code on the database server. A second vulnerability in TNS allowed a remote user to mount a denial of service attack against any Oracle service relying on the Net8 protocol.

Oracle’s response was to issue a patch. “All software has bugs,” a spokeswoman said. She can’t have mentioned that to Ellison.

When he took the stage at Comdex, he apparently acknowledged the riskiness of his remarks. "Everyone at Oracle was very nervous," Ellison said. "We're just going to cause every hacker around the world to attack the Oracle sites. They said, Larry, are you crazy?"

Sure enough, the number of hackers trying to bring down Oracle's website increased 10-fold, to 1000 attacks a day, according to Ellison. But he was sure Oracle 9i’s Real Application Clusters, or groups of servers for accessing a database, would keep them at bay.

Maybe they do. But a security boffin at Next Generation Security Software in the UK, David Litchfield, a short time later found a way that a hacker can access Oracle's database server without a user ID or password. Oracle can be thankful that Litchfield gave it time to create a patch before publishing the details of the flaws 10 days ago.

The vulnerability not only allows attackers to access a database server without authorisation but it also allows the attacker to execute a function in that software from a remote location. It affects Oracle 9i and Oracle 8i database servers running on all operating systems, according a security advisory.

A second flaw could allow attackers to run arbitrary code or perform a denial of service attack on the Oracle 9i application server running on Sun's Solaris 2.6 OS for Sparc processors, Windows NT and Windows 2000 Server operating systems, and Hewlett-Packard's HP-UX version 11.0 for 32-bit operating systems, according to the advisory.

Another vulnerability enables an attacker to view the source code of JSP (Java server pages) when they are downloaded from Oracle 9i application servers running on all operating systems. Those files often display information such as the database user ID and password. Oracle has made patches and workarounds available online.

Surely Ellison has egg on his face after this? Not in the least, according our local security watcher. “Ellison’s saving himself a fortune on security testing by having the world’s hackers do it for him.” Maybe. Certainly, by the conclusion of the America’s Cup sailing regatta, in which Ellison is hoping to be a participant, I fear we’ll be even more familiar with his bluster.

Doesburg is Computerworld’s editor. Send letters for publication to Computerworld Letters.

Join the newsletter!

Error: Please check your email address.

Tags larry ellison

More about BossComdexHewlett-Packard AustraliaHPMicrosoftNext Generation Security SoftwareOraclePGPPGP Security

Show Comments

Market Place

[]