Oracle accidentally exposes flaw, exploit

By Bill Brenner, Senior News Writer 11 Apr 2006 | SearchSecurity.com

Oracle tips, scripts, and expert advice Digg This!     StumbleUpon     Del.icio.us

Updated Wednesday, April 12 to include a statement from Oracle Corp.

Oracle Corp.'s next critical patch update (CPU) is a week away, but customers of the database giant already have a security hole to worry about -- and this one appears to have been accidentally released by the company itself.

According to Alexander Kornbrust, a well-known database security researcher and business director at German firm Red-Database-Security GmbH, Redwood Shores, Calif.-based Oracle accidentally posted information about the flaw -- including how to exploit it -- on its MetaLink customer support site.

More on Oracle security Oracle releases critical, out-of-cycle patch Oracle makes Microsoft patching look good Researcher: Oracle failed to patch critical flaw Oracle patches 82 critical flaws

In a posting on the Red-Database-Security Web site, Kornbrust said that on April 6, Oracle released a note on the MetaLink site with details about an unpatched flaw and exploit code affecting all versions of Oracle Database, from 9.2.0.0 through 10.2.0.3. He said the note was also displayed in the daily headlines section of the MetaLink site and sent to subscribers of the daily headline section.

He said the "high-risk, privilege escalation" vulnerability is due to an error in how Oracle Database handles certain specially crafted views created by unprivileged users. He said malicious users who gain "SELECT" privileges could exploit the flaw to insert, update or delete arbitrary data.

The French Security Incident Response Team (FrSIRT), a widely known vulnerability clearinghouse, analyzed the flaw and released its own advisory, labeling the vulnerability a moderate risk.

"In this case, not only [did] Oracle release detailed information on the vulnerability, but they also included the working exploit code on the MetaLink" site. Alexander Kornbrust Red-Database-Security,

After he became aware of it, Kornbrust said he e-mailed Oracle about the posting, and the company then removed the information from MetaLink. On the Red-Database-Security Web site, he criticized the company for doing something for which it usually lashes out at others.

"Oracle normally criticizes individuals and/or companies for releasing information about Oracle vulnerabilities," he said. "In this case, not only [did] Oracle release detailed information on the vulnerability, but they also included the working exploit code on the MetaLink" site.

An Oracle spokesperson said the company is investigating the incident.

"Oracle is aware that information regarding a security vulnerability was inadvertently posted to MetaLink, Oracle's Web support portal," she said in an e-mail. "We are currently investigating events that led to the posting and plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update."

Until the security hole is patched, Kornbrust offered the following workarounds:

Removing the primary key from the base table is an option, though this could cause performance and integrity issues on the application.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary