Oracle accidentally exposes flaw, exploit

Article

Oracle accidentally exposes flaw, exploit

Bill Brenner, Senior News Writer

Updated Wednesday, April 12 to include a statement from Oracle Corp.

Oracle Corp.'s next critical patch update (CPU) is a week away, but customers of the database giant already have a security hole to worry about

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

-- and this one appears to have been accidentally released by the company itself.

According to Alexander Kornbrust, a well-known database security researcher and business director at German firm Red-Database-Security GmbH, Redwood Shores, Calif.-based Oracle accidentally posted information about the flaw -- including how to exploit it -- on its MetaLink customer support site.

In a posting on the Red-Database-Security Web site, Kornbrust said that on April 6, Oracle released a note on the MetaLink site with details about an unpatched flaw and exploit code affecting all versions of Oracle Database, from 9.2.0.0 through 10.2.0.3. He said the note was also displayed in the daily headlines section of the MetaLink site and sent to subscribers of the daily headline section.

He said the "high-risk, privilege escalation" vulnerability is due to an error in how Oracle Database handles certain specially crafted views created by unprivileged users. He said malicious users who gain "SELECT" privileges could exploit the flaw to insert, update or delete arbitrary data.

The French Security Incident Response Team (FrSIRT), a widely known vulnerability clearinghouse, analyzed the flaw and released its own advisory, labeling the vulnerability a moderate risk.

After he became aware of it, Kornbrust said he e-mailed Oracle about the posting, and the company then removed the information from MetaLink. On the Red-Database-Security Web site, he criticized the company for doing something for which it usually lashes out at others.

"Oracle normally criticizes individuals and/or companies for releasing information about Oracle vulnerabilities," he said. "In this case, not only [did] Oracle release detailed information on the vulnerability, but they also included the working exploit code on the MetaLink" site.

An Oracle spokesperson said the company is investigating the incident.

"Oracle is aware that information regarding a security vulnerability was inadvertently posted to MetaLink, Oracle's Web support portal," she said in an e-mail. "We are currently investigating events that led to the posting and plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update."

Until the security hole is patched, Kornbrust offered the following workarounds:

  • Sanitize the connect role and remove the CREATE VIEW and CREATE DATABASE LINK privilege from the connect role.
  • Removing the primary key from the base table is an option, though this could cause performance and integrity issues on the application.