Security threats Toolkit

Oracle database flaws affect virtually all financial transactions

Tags:
Database,
SQL,
Oracle,
PL/SQL

Munir Kotadia ZDNet.co.uk

Published: 03 Aug 2004 17:25 BST

Oracle is keeping quiet about allegations that its ubiquitous database has at least 30 security vulnerabilities that could allow hackers to compromise the confidentiality of virtually all financial transactions.

David Litchfield, the MD of UK-based developer Next Generation Security Software, told The Wall Street Journal that he had discovered more than 30 security holes in Oracle's database that could allow hackers to compromise information stored within its records.

Oracle's relational database is used by so many enterprises, financial institutions, public organisations and e-commerce Web sites, that virtually every financial transaction that is conducted will, at some point pass through an Oracle database.

On Tuesday, Oracle refused to speak about the alleged flaws and instead issued a statement that neither confirmed nor denied the allegations. Instead, the company claimed its product was more secure than rival databases from IBM and Microsoft.

"Oracle, of any major software vendor, offers the most widely tested security software with 18 international security evaluations, compared to one evaluation for Microsoft's database and none for IBM," the statement said.

In a statement, Oracle said that "when software security flaws are discovered, Oracle responds as quickly as possible with patches and work-arounds in order to help protect information secured by customers in Oracle-based information systems."

According to the WSJ, Litchfield found problems in the PL/SQL code, which is used by custom applications to communicate with the database. If this code is flawed, administrators may be required to modify all their applications in order to properly secure them.

James Governor, principal analyst at RedMonk, said the flaw could cause a lot of problems for database administrators as Oracle will not be able to simply issue a patch because of the nature of the problem.

"If this is going to affect PL/SQL code, there is an awful lot of home-grown PL/SQL code out there -- it's not a packaged application that Oracle can patch," said Governor.

Governor said that a significant proportion of companies use Oracle for their transactional applications and Oracle has been pitching its database as a solution to an enterprises' security problems for many years.

"Most financial transactions touch an Oracle database somewhere along the line. They have been pitching the idea that Oracle is a more secure database than other environments, and should be used as the heart of security in multiple environments," said Governor.

Governor said Litchfield's comments should be taken seriously because he has been responsible for uncovering security vulnerabilities in the past.

"Litchfield has uncovered significant vulnerabilities in other environments before and has a track record of someone that potentially we should listen to," said Governor.

ZDNet UK's Graeme Wearden contributed to this report.