Data management heavyweight Oracle has issued an
alert for “high risk” security flaws in several server products, warning
that the vulnerabilities could lead to system access.
The Redwood City, Calif.-based firm said a range of the server products
was affected by vulnerabilities in the OpenSSL protocol and can be
exploited to allow information leakage, denial-of-service attacks
Affected products include the Oracle HTTP Server 8.x, Oracle HTTP Server
9.x, Oracle8i Database, Oracle9i Application Server, Oracle9i Database
Enterprise Edition and the Oracle9i Database Standard Edition.
The company warned that there were no workaround available, urging customers to apply specific patches (PDF file) to vulnerable systems.
The Oracle products are vulnerable to flaws detected
earlier this year in OpenSSL, the popular open-source implementation of the
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
The SSL and TLS protocols are used to provide a secure connection between
a client and a server for higher level protocols, such as HTTP. According
to the CERT Coordination Center, the OpenSSL flaws were mostly buffer
overflows that occurred during the SSLv2 handshake process. They can be
exploited by a client using a malformed key during the handshake process
with an SSL server connection.
In October, the OpenSSL Project released new versions to
fix the holes which carried a “highly critical” rating.
The security holes were first detected by the U.K.-based National
Infrastructure Security Coordination Centre (NISCC) which prepared a test
suite to check the operation of SSL/TLS (define) software when presented
with a wide range of malformed client certificates.
The Center’s tests found that if OpenSSL was used in debug mode, an
invalid public key in a certificate may cause the verify code to crash. This
could also lead to a DoS against systems running in debug mode.