Another 'critical' flaw, this time from Oracle

A browser plus a bit of knowledge equals access to valuable e-commerce data.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Database software maker Oracle warned customers using the most recent version of its e-commerce program of a flaw that puts their systems at risk.

In a terse but strongly worded advisory released to customers last week, Oracle said a software flaw in its Oracle 11i E-Business Suite and its Oracle Applications 11.0 could let an attacker take control of the database that powers the programs.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"Risk of exposure is high, as any user with browser access and specialized knowledge can exploit" the flaw, Oracle said in the advisory. The company would not provide details. Oracle has released a patch for the problem and urged customers to update their systems.

Security information provider Secunia rated the vulnerability as "highly critical," its second highest rating.

The vulnerability was discovered by Stephen Kost, chief technology officer for Integrigy, a company focused on creating software to secure critical corporate applications. Integrigy's own advisory jibed with Oracle's on the ease with which the flaw could be exploited.

"Since attacks can be specially crafted for Oracle Applications and an attack may only be a single (HTTP, or Hypertext Transfer Protocol, request), successful attacks can be easily designed that will evade most intrusion detection and prevention systems," Integrigy said in its advisory.

Early last year, Integrigy released its application security product, AppSentry, for Oracle's E-Business Suite. A year ago, the company also published information on two other flaws in the same Oracle product.