Security Bugs in Oracle, Lotus Products

A British security research firm has released a slew of security warnings for flaws in enterprise products from Oracle and IBM’s Lotus.

Security advisories from NGSSoftware warned of six serious flaws in components of Oracle’s database server software, including four “critical” buffer overrun vulnerabilities.

Oracle has released patches for the flaws, which also affect its newest Oracle 9i Application Server, which is specially designed to integrate with an Oracle backend database server. One of the more serious vulnerabilities is a format string bug that would let an attacker overwrite arbitrary address with arbitrary values and gain complete control of the Web server.

Another “high risk” alert was issued for a bfilename function buffer overflow vulnerability which affects Oracle9i Database Release 2, 9i Release 1, 8i, 8.1.7 and 8.0.6.

NGSSoftware also issued security alerts for flaws in Lotus 6, Lotus iNotes Client, Lotus Domino Web Server iNotes and Lotus Domino Web Server Host.

The vulnerabilities include a “critical risk” flaw in Lotus Domino that could lead to a denial-of-service attack and a buffer overflow bug in iNotes that can be exploited by an attacker to run code in the security context of the account running the Domino Web Services.