Oracle Ups Status On SSL Vulnerability Alert

by CXOtoday Staff    Dec 09, 2003

Oracle issued a high severity security alert warning, of Secure Sockets Layer (SSL) vulnerabilities, that will require users to immediately apply patch fixes to systems at risk.

Oracle released a detailed security alert on Thursday. The cautionary note addresses SSL vulnerabilities detailed in CERT Advisory CA-2003-26, and SSL vulnerabilities detailed in several older Common Vulnerabilities and Exposures (CVE) Candidates.

The company justified the alert upgrade, citing the fact that a number of its server products could be tampered with, by exploiting vulnerabilities via the OpenSSL protocol.

According to Oracle, the risk to exposure is high. Any client that is able to access the server may exploit the vulnerabilities, and the flaws could potentially open the door for a remote hacker to launch a denial-of-service (DoS) attack, execute malicious code, and gain access privileges.

This vulnerability affects all products that use SSL and accept client certificates in the Oracle9i Application Server, the Oracle9i Database Server, and the Oracle8i Database Server

OpenSSL is an open source deployment of the SSL and Transport Layer Security (TLS) protocols. The protocols offer encryption, authentication, and other security measures to HTTP and other network applications.

To minimize risk, Oracle recommended that users apply patches since no workarounds exist that fully address the potential security vulnerabilities. Patches for the security vulnerabilities are available on Oracle’s support Web site, MetaLink.