[Previous entry: "Many ways to become DBA"] [Next entry: "Oracle XE will get upgrades with security fixes rather than patches"]
More than 275 new security bugs found last week in the Oracle 10g database
November 9th, 2005 by Pete
Post to del.icio.us
Post to Furl
I saw a news item on EWeek today in an article written by Paul F. Roberts titled "New Security Risks Hit Oracle" that talks about the recent Oracle worm and how it does not use any security bugs but exploits configuration insecurities. The key information in this post is the announcement that last week Alex Kornbrust reported more than 250 SQL Injection bugs in standard packages shipped in the Oracle 10g Release 1 database. A quote from the article says:
"said he passed details to Oracle last week on more than 250 SQL injection vulnerabilities in the company's 10g Release 1 database server. Kornbrust said he found the SQL injection holes in just 6 hours using automated vulnerability scanning tools to analyze about 9,000 software packages and functions that are part of 10g Release 1."
Alex also developed exploit code for some of the bugs that can be used to escalate privileges. He said up to 30% of the bugs can be used to escalate privileges.
Separately on Alex's "Upcoming Oracle Security Alerts" he shows that he has reported 25 vulnerabilities in the October 18 2005 Critical Patch update.
This totals more than 275 new bugs in the Oracle database products, almost exclusively in built-in PL/SQL packages that in most cases have PUBLIC execute privileges.
