Oracle is treading on increasingly shaky ground with its 'unbreakable' marketing campaign, after no less than three advisories went out yesterday pinpointing security flaws in the 9i database and the 9i Application Server.
Although Oracle's slogan for the 9i database is "Can't break it. Can't break in", a recently discovered remote compromise in the database server, and a file access vulnerability and buffer overflow in 9iAS, may have something to say to the contrary.
With the remote compromise it may be possible for an attacker to masquerade as an Oracle process and execute any function in any driver on the file system without the authentication of a user ID or password.
According to reports, Oracle was alerted to the vulnerability last summer and provided with working exploit code in October. It is currently investigating the issue and working on a patch.
There are also multiple buffer overflows in the PL/SQL (Procedural Language/ Structured Query Language) module for Oracle Application Server running on Apache that allows the execution of arbitrary code. A non-overflow denial of service vulnerability also exists.
The Oracle 9iAS web service is powered by Apache and provides many application environments with the facility to offer services from the site such as Soap, PL/SQL, XSQL and JSP.
But a security issue exists in the OracleJSP environment where an attacker can get access to the source code of the translated JSP page. And there is a second issue that relates to an attacker gaining access to the globals.jsa contents.
Oracle has released a patch for the buffer overflow, which is available from the company's website here. The advisories can be found on the Bugtraq security mailing list.
NatWest outage comes a day after Barclays' IT systems shut out customers and staff
The ICO is concerned with AggregateIQ's retention and processing of data used in the Brexit referendum
Map selection, quick menus for grenades and healing items and automatic reload coming in PUBG update #22
Could be used for everything from search-and-rescue robots to wearable tech