Oracle is treading on increasingly shaky ground with its 'unbreakable' marketing campaign, after no less than three advisories went out yesterday pinpointing security flaws in the 9i database and the 9i Application Server.
Although Oracle's slogan for the 9i database is "Can't break it. Can't break in", a recently discovered remote compromise in the database server, and a file access vulnerability and buffer overflow in 9iAS, may have something to say to the contrary.
With the remote compromise it may be possible for an attacker to masquerade as an Oracle process and execute any function in any driver on the file system without the authentication of a user ID or password.
According to reports, Oracle was alerted to the vulnerability last summer and provided with working exploit code in October. It is currently investigating the issue and working on a patch.
There are also multiple buffer overflows in the PL/SQL (Procedural Language/ Structured Query Language) module for Oracle Application Server running on Apache that allows the execution of arbitrary code. A non-overflow denial of service vulnerability also exists.
The Oracle 9iAS web service is powered by Apache and provides many application environments with the facility to offer services from the site such as Soap, PL/SQL, XSQL and JSP.
But a security issue exists in the OracleJSP environment where an attacker can get access to the source code of the translated JSP page. And there is a second issue that relates to an attacker gaining access to the globals.jsa contents.
Oracle has released a patch for the buffer overflow, which is available from the company's website here. The advisories can be found on the Bugtraq security mailing list.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago