Security experts this week uncovered two significant vulnerabilities in the standard and enterprise editions of Oracle's Oracle8i database that could not only place companies' data at risk but could also expose the database server operating system to hackers.
Researchers at PGP Security, a business unit of antivirus vendor Network Associates, discovered the vulnerabilities late Wednesday. The most serious problem involves Oracle8i's Transport Network Substrate (TNS) Listener, which establishes and maintains remote communications with other Oracle database services.
PGP Security said the TNS Listener is vulnerable to a buffer overflow that could allow hackers to execute arbitrary code on a company's database server and possibly take full control of the operating system.
The other vulnerability stems from a glitch in the SQL Net protocol that makes the system susceptible to denial-of-service attacks. Any Oracle service that uses the protocol, including the TNS Listener, Oracle Name Service and Oracle Connections Manager, is vulnerable, according to the advisory.
Both vulnerabilities apply to the standard and enterprise editions of Oracle 8i versions 8.1.5, 8.1.6, 8.1.7 and previous versions for Windows, Linux, Solaris, AIX, HP-UX and Tru64 Unix. Oracle9i isn't vulnerable, said Jim Magdych, security research manager at PGP Security's COVERT Labs.
According to Magdych, Oracle database administrators should download and apply the available patches for these vulnerabilities "as soon as possible."
Oracle didn't respond immediately to requests for comment. However, the company has produced a patch for the vulnerability under bug number 1489683. It's available for all supported releases of the Oracle Database Server from the Oracle Worldwide Support Services site. The site requires users to register and create an account.
The vulnerability of database servers isn't new. However, experts agree that it's a subject of increasing importance as more and more corporate information is stored in very large databases.
"Every business of any size, whether an e-business or not, is reliant on databases," said Rich Telljohann, product line manager at Internet Security Systems. "From human resources to accounting systems, the vast majority of that data is in a database somewhere," he said.
The problem, however, is that "database administrators often assume that if the OS and the network are secure, the database is secure," said Telljohann. "That's a completely faulty assumption. Databases are addressable."