Database Security Issues with Oracle 9i

The security specialists Cesar Cerrudo (founder and CEO, Argeniss Security Research Team) and Mark Litchfield have discovered several vulnerabilities in Oracle 9i. These vulnerabilities make user access insecure. Particularly, these vulnerabilities are the reasons for which we cannot say that the database access system of the software’s latest version is foolproof. The conversion functions NUMTOYMINTERVAL and NUMTODSINTERVAL provoke long char_expr string buffer overflows that allow attackers to overwrite the stack with its own code. Moreover, the attacker or hacker might even be able to run the overwritten programs resulting into total corruption of the database files. Also, it doesn’t really matter that what platform (SYSTEM or ORACLE) the database is actually utilizing. The susceptibility of the Oracle 9i at this level can thus become a matter of real concern for the administrators.

Both errors are included in versions up to 9.2.0.4. Two other bugs affect the possible buffer overflows in the functions FROM_TZ and TIME_ZONE that we find in the version up to 9.2.0.3. In order to remove the gaps in the database strings that increase the possibility of hacking and unauthorized rewriting, the users can install version 9.2.0.4.

In such a state of affair, the credibility of the Oracle database systems does not remain completely unarguable and specialist security support becomes necessary. This security optimization of the system would involve more customization, encryption, and query language compatibility of the database storage. Also, backing up the crucial data in regular and well-managed time intervals can help in retrieving stored information during emergencies. Implementation of advanced and more functional backup tools can be scrutinized in the following texts.

The Backup tool LiteSpeed Engine is a nice backup utility for the Oracle databases. It would not only back up the files faster in comparison to the in-built RMAN (Recovery Manager) utility, but also reduce the disk space requirements. The manufacturer of this product is the Quest Software. The software tool further proffers four levels of encryption (AES-128/192/256 and 3DES), which is broadly compatible with RMAN and Tivoli Storage Manager to execute and integrate. The software can be exploited with the Standard and Enterprise Editions of Oracle 9i version for extended use.

The promising multi-level encryption schemes in modern database creation and retrieval operations provide ample security. But the user must still be cautioned about the shortcomings of some of the Oracle 9i conversion functions and database strings. In today’s world, the threat of database infiltration and hacking has increased manifold. Also, we cannot afford to lose valuable data in a run time environment under industrial pressure. Therefore, the users are advised to understand and overcome the existing limitations in Oracle 9i.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.