34 flaws found in Oracle database software
Company plans to issue security alert 'soon'

News Story by Jaikumar Vijayan

AUGUST 03, 2004 (COMPUTERWORLD) - Oracle Corp. will soon issue patches to fix 34 different vulnerabilities in its database software that were disclosed to it early this year by a British bug hunter.

The flaws, a majority of which are serious, affect both existing and previous versions of Oracle's database technology, said David Litchfield, managing director of Surrey, England-based Next Generation Security Software Ltd.

"They include buffer overflows, SQL injection issues and a whole range of other minor issues," said Litchfield, who discovered the flaws. He said that he reported them to Oracle in January and February.

"Some of them can be exploited without a user ID and password, while others require them," Litchfield said. Nearly 90% of the flaws allow attackers to potentially gain complete administrative control of vulnerable database servers, he said.

Oracle confirmed the existence of the flaws, which were discussed publicly at last week's Black Hat security conference in Las Vegas, but did not offer any further comment. In an e-mailed statement, a company spokeswoman said that Oracle had fixed the flaws and would issue a security alert "soon."

According to Litchfield, some of the vulnerabilities are easy to exploit, whereas others require attackers to have fairly detailed technology skills. He said that his company has exploits available that take advantage of the flaws but that it has no plans to release them publicly.

Article continued at: http://www.computerworld.com/securitytopics/security/holes/story/0,10801,95013,00.html