- A security firm has reported finding vulnerabilities in Oracle's 8 and 8i database products which it said potentially could provide attackers with full access to the database, allowing them to create, delete, or modify information.
The Covert Labs division of PGP Security, which itself is a division of Network Associates, issued two advisories last week, both pertaining to Oracle's TNS (Transparent Network Substrate). The TNS Listener, which is used to establish and maintain remote communications with Oracle database services, is vulnerable to a buffer overflow, which could allow a remote user to execute malicious code on the database server, Covert Labs said in its advisory.
"This is no more difficult (to cause) than most normal buffer overflows," Jim Magdych, security research manager for PGP Security said. "It's probably just a matter of time before someone releases a script to take advantage of it."
A second vulnerability in TNS allows a remote user to mount a denial of service attack against any Oracle service relying on the Net8 protocol, Covert said in a second advisory. Services that make use of the protocol include TNS Listener, Oracle Name Service and Oracle Connections Manager, Covert said. TNS is designed to provide a single application interface to all industry-standard networking protocols.
Oracle said it was aware of the vulnerabilities and has already issued a patch. "All software has bugs, and we immediately put up a patch," Oracle spokeswoman Emily Kao said. Kao declined to comment on the severity of the security holes.
The patches are available at metalink.oracle.com under bug numbers 1489683 and 1656431.