Oracle warns of three new flaws

The database maker alerts customers to a flaw in its database server and two vulnerabilities in its E-Business Suite, warning users again about a problem with its application server.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
2 min read
Database maker Oracle warned customers on Wednesday of three new flaws in its products and reiterated its warning to businesses of a fourth flaw that uses the company's application server.

The two most serious vulnerabilities were in the firm's E-Business Suite, Oracle's set of server applications for managing everything from accounting to Intranets. Both were given the highest of three threat ratings assigned by Oracle to its products' vulnerabilities.

"Our rating system is based upon likelihood of exploitation and risk of damage if the issue were exploited," said John Heimann, director of security product management for Oracle. "Either of these issues is exploitable and could result in damage if exploited."

Oracle has issued advisories and patches on all four vulnerabilities.

The first E-Business Suite vulnerability, caused by a set of unsecured Java server pages, could allow any user to view the product's configuration and host-system information. The second flaw, a buffer overflow, could lead a component of the suite to crash and potentially allow an attacker to run code on the system.

The flaw in the company's database server could allow an attacker to execute code against the system--but only if the person already has database-administrator rights to the system. The main concern with this type of an attack is that a company insider could gain a higher level of privilege on the server.

Oracle also reiterated a warning about several flaws in the application server that could allow people to read files or to look at the source code of Java server pages.