Two Zero-Day Vulnerabilities in Oracle Components
Next steps
Request a demo
Contact me
Sales
+1 (408) 970-3305
OR +44 (0)2076 499959
Download Now
14 Day Eval Versions
Two Zero-Day Vulnerabilities in Oracle Components discovered by Sentrigo
February 18, 2009
The two zero-day vulnerabilities in the Oracle database may enable an attacker or malicious user with execution privileged to specific packages to take over the database completely – compromising the entire contents of the database and the availability of the systems dependant on it.
Sentrigo’s continuing efforts in vulnerability discovery and research exposed two additional vulnerabilities in built-in Oracle packages. These packages are used either by other internal Oracle components, and may also be invoked directly by database users. Any user with the sufficient execution privileges of the vulnerable packages may exploit the vulnerabilities to attack the database and the contents it holds.
Sentrigo has informed Oracle’s security division of the discovered vulnerabilities in detail, and Oracle has confirmed their existence. Oracle will include patches for the two vulnerabilities in an upcoming Critical Patch Update (CPU). However, until the CPU containing these patches is released and installed by Oracle customers, Oracle databases world-wide will remain vulnerable and exposed to these weaknesses.
Immediately following the discovery of the two vulnerabilities, Sentrigo has released a security update, containing protections for the two vulnerabilities. Therefore, Sentrigo’s customers running Oracle databases are automatically protected from attacks targeting these vulnerabilities.
For responsible disclosure, no additional technical details may currently be published.