Translation of www.Heise.de German news article
This article was originally published on the German security portal heise Security. The text in English is as follows:
Oracle close down security holes
Database manufacturer Oracle has published his quarterly CPU, which
close down 23 security holes. Affected products are the database server
(17), application server (3), collab suite (1) and the e-business
suite(2). The errors cover different versions of these products. More
detailed information is contained in the Oracle advisory for this
update.
Different from previously advisories the manufacturer describes in his
advisory additional details concerning the vulnerabilities. He explains
what module contains what error and what additional requirements must
be fulfilled, to exploit these holes -- e.g. if a previous
authorisation is required. Some of the holes are based on buffer
overflows which allows to inject code via the network. Other holes are
based on SQL-Injection and directory traversal, the break out from a
given directory.
The patches are available on the web pages of Oracle for registered
customers. These errors were discovered among others by the specialists
for database security David Litchfield from NGSSoftware, Pete Finnigan
and Alexander Kornbrust, which have released own advisories. According
to the advisory of Kornbrust, Oracle did not patch a buffer overflow
which could crash a database server, for nearly 2 years.
See also:
* Critical Patch Update January 2005 from Oracle
* Vulnerabilities in the Oracle Database Server from NGSSoftware
* Directory Traversal from Peter Finnigan
* Buffer Overflow in Create Database Link in Oracle8i - 9i from
Alexander Kornbrust
Thanks again to Daniel and Alex.