Ssl server certificate

Oracle patches SSL server bugs

Oracle has issued a security alert and software patches for a set of serious vulnerabilities in the security protocols some of its server products use.

The flaws affect certain versions of Oracle's 8i and 9i Database Server, Oracle 9i Application Server and Versions 8 and 9 of the Oracle HTTP Server, according to the alert.

Any client that can access an affected Oracle server could exploit the vulnerabilities, according to the alert, which characterizes users' risk of exposure from the vulnerability as "high." Oracle "strongly recommends" that users apply patches for these vulnerabilities and says there were no alternate workarounds to correct the issues.

The flaws exploit the Abstract Syntax Notation 1 (ASN. 1) syntax notation, which the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols use, which are used widely for exchanging data securely on the Internet.

"A lot of the problems have to do with the way that ASN. 1 handles purposefully badly constructed data," says Art Manion an Internet security analyst with Carnegie Mellon's CERT Coordination Center.

By submitting data that was "purposefully badly constructed," a malicious client theoretically could gain control over certain servers running SSL or TLS software, Manion says.

"In a worst-case scenario, a malicious client, using a specially crafted client certificate, could execute arbitrary code on a vulnerable server," he says.

Though the exploit is technically possible, hackers have yet to use it, Manion says. "These vulnerabilities aren't so dead easy to exploit," he says.

Researchers at London's National Infrastructure Security Coordination Center originally discovered the vulnerabilities and then documented them in a CERT advisory Oct. 1, Manion says.

Oracle could have reduced the risk that these bugs present had it removed certain features from the OpenSSL software libraries included with its servers, says Thor Larholm, a senior security researcher with PivX Solutions, a network security consultancy in Newport Beach, Calif.

"Oracle . . . should have done more to tailor the available functionality in the libraries they included, as some of the vulnerabilities in OpenSSL - which Oracle subsequently became vulnerable to - [are] not even used by Oracle itself," he says.

The vulnerabilities have affected a variety of software that employs the SSL and TLS protocols, including Oracle's, he says.

McMillan is a correspondent with the IDG News Service's San Francisco bureau.