Oracle issues patch for security flaw
Martin LaMonica Former Staff writer, CNET News
Martin LaMonica is a senior writer covering green tech and cutting-edge technologies. He joined CNET in 2002 to cover enterprise IT and Web development and was previously executive editor of IT publication InfoWorld.
Oracle recommended that its database customers patch a security vulnerability in certain versions of its database, saying risk to exposure is high. Any machine connected to an affected server could exploit the flaw and take over the server, the company said. The problem is found in four editions of Oracle's 9i and Oracle 8i databases as well as two editions of the Oracle 9i Application Server, the company said in an alert issued on Dec. 4.
The problem, further detailed at Carnegie Mellon University's CERT Coordination Center, is due to flaws in different implementations of security protocols, namely Secure Sockets Layer (SSL) and Transport Layer Security (TLS), used within Oracle's products. The SSL vulnerabilities can be "exploited when carefully crafted X.509 certificates are presented by clients, even when X.509 client certificates are not enabled," according to the Oracle alert.