DHS Issues Oracle Warning

"US-CERT technical cybersecurity alert"

Related Links

Homeland Security Department officials used the National Cyber Alert System this week to warn users of critical security vulnerabilities discovered in Oracle Corp.'s E-Business Suite 11i and Oracle 11 applications.

The DHS alert warned that unauthorized but knowledgeable persons with Web browser access to unpatched versions of the Oracle software can exploit the vulnerabilities to execute destructive structured query language procedures inside the applications.

Oracle has provided a patch that users can download to close the security holes for the software versions named in the alert. Earlier versions have not been tested for the vulnerability because Oracle is no longer providing patches for the older versions.

Applications making the vulnerability list include Oracle E-Business Suite 11i and 11.5.1 through 11.5.8 and all releases of Oracle 11 applications. Oracle E-Business Suite Release 11.5.9 and later versions are not vulnerable.

According to Integrigy Corp.'s Stephen Kost, a security expert who discovered the vulnerabilities, the unpatched Oracle database applications are open to malicious exploits known technically as SQL injection attacks.

The DHS alert warns that "exploitation may lead to compromise of the database application, data integrity or underlying operating system." No operating system is immune.

Oracle databases and applications are widely used throughout the federal government. The Energy Department's Sandia National Laboratories and NASA's Jet Propulsion Laboratory, among others, use the Oracle E-Business Suite for managing their business operations.

Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.