An unauthenticated user with browser access to a Web server hosting the E Business Suite application and specialized knowledge can exploit vulnerabilities, says a top-level security alert from Oracle this week.
Oracle Security Alert 67 declares that, without a patch issued by Oracle, Oracle E-Business Suite 11i and Oracle Applications 11.0 packages are subject to multiple SQL injection flaws that could be used to manipulate database entries.
Oracle shops with Internet-facing application servers are particularly at risk, says the security tools firm Integrigy, which describes the vulnerabilities as follows:
"Integrigy has discovered multiple SQL injection vulnerabilities in almost all supported versions of Oracle Applications (11.0 and 11i).
Because Oracle Applications 11i installs code for all product modules, all Oracle Applications 11i customers are vulnerable to these SQL injection issues.
A SQL injection vulnerability allows an attacker to execute SQL statements or database functions by inserting SQL code fragments into input fields of a web page. Due to the design of Oracle Applications, a SQL injection attack can easily and effectively compromise the entire database and application." Oracle has released a patch for Oracle Applications 11.0 and the Oracle E-Business Suite 11i to correct these vulnerabilities. |
