Subject Open source looks pretty good to me
Author Mike Harbison
(1) HIGH: Oracle Products Multiple Vulnerabilities
Oracle9i Database Server Release 1, versions, and 9.0.4
Oracle9i Database Server Release 2, versions and
Oracle8i Database Server Release 3, version Oracle Database 10g
Release 1, version Oracle Enterprise Manager Grid Control 10g,
version Oracle Enterprise Manager Database Control 10g, version Oracle Application Server 10g (9.0.4), versions and Oracle9i Application Server Release 2, versions and Oracle9i Application Server Release 1, version Oracle
Collaboration Suite Oracle E-Business Suite 11i

Description: The Oracle Database server, the Oracle Application server,
the Oracle Enterprise Manager, the Oracle E-Business and the Oracle
Collaboration suites contain multiple buffer overflows (numbering over
40) and SQL injection vulnerabilities, which may be exploited to execute
arbitrary code on the server(s). Some of the flaws in the Database and
the Application server can be exploited by a remote unauthenticated
attacker, whereas the flaws in the Enterprise Manager can be exploited
only with valid user credentials. The Collaboration and the E-Business
suite customers have been advised to apply the appropriate Database and
Application server patches; hence, the flaws in these applications could
also be exploited by remote unauthenticated attackers. In the
configurations using Oracle as a back-end database, the flaws may be
leveraged via SQL injection vulnerabilities in the front-end web
scripts. The default accounts provide another avenue for exploitation.
The technical details regarding many of the buffer overflows have been
publicly posted. Further details are expected to be released in the
upcoming months.

Status: Oracle has released patches listed in the Oracle Security Alert
#68. Given the fact that relevant technical information regarding some
of the overflows has been posted, and that some of the flaws may be
exploited by remote unauthenticated attackers, the patches should be
applied on a priority basis. The Center for Internet Security (CIS) has
released security benchmarking tools for Oracle, which may help in
hardening the database security.

Council Site Actions: A majority of the reporting council sites that
have Oracle implementations and are responding to this vulnerability.
Most of these sites are currently evaluating and testing the patches.
Some sites plan to patch the systems as soon as possible, while other
sites will patch during their next regularly scheduled system update
process. Several sites commented that their Oracle database servers are
isolated from external networks and thus the threat is greatly reduced.
One site is monitoring for any unusual network connections to systems
that are running Oracle products.

Oracle Advisory
CERT Advisories
Application Security Advisory
Integrigy Advisory
NGS Advisory
PeteFinnigan Advisory
iDefense Advisories
Oracle Security Hardening Tools
SecurityFocus BID


(3) MODERATE: IBM DB2 Buffer Overflow Vulnerabilities
IBM DB2 version 8.1 Fixpak 6 and prior
IBM DB2 version 7.x Fixpak 11 and prior

Description: IBM DB2 database contains two buffer overflow
vulnerabilities, which can be potentially exploited to execute arbitrary
code on the database server. The discoverers of the flaw have not
released any technical details regarding these flaws, which have been
rated as "High". Other advisories with a similar rating from the
discoverers have included overflows that require minimal user privileges
or flaws that can be exploited by remote unauthenticated attackers.
Hence, although the @RISK rating for this item is currently "MODERATE"
due to lack of any more information, the DB2 administrators should apply
the patches on a priority basis. The technical details are scheduled to
be released on December 1, 2004. It may also be possible to "binary
diff" the patches to obtain more information about the flaws.

Status: IBM has released the patches. Upgrade DB2 version 8.1 to Fixpak
7, and DB2 version 7.x installations to Fixpak 12.

Council Site Actions: Three council sites are running the affected
software. One site is reviewing the potential impact and will likely
patch their systems on an accelerated schedule. The other two sites have
notified their support staff, but no other action has been taken at this

NGS Advisory
IBM Patch Download
IBM DB2 Product Page
SecurityFocus BID