Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Oracle Posts Exploit Code for Database Flaw

Oracle Posts Exploit Code for Database Flaw

From: <xg_at_oraclexg.com>
Date: 18 Apr 2006 00:30:18 -0700
Message-ID: <1145345418.465198.89440@g10g2000cwb.googlegroups.com>


http://www.computerworld.com/databasetopics/data/software/story/0,10801,110521,00.html wrote:

APRIL 17, 2006 (COMPUTERWORLD) - Oracle Corp. appears to have accidentally released details about an unpatched security vulnerability in its database software, including sample code for exploiting the flaw.
The information about the vulnerability was included in a note that was briefly posted on Oracle 's MetaLink customer support portal on April 6.

Oracle removed the information the next day after being informed of the security risks, said Alexander Kornbrust, a business director at Red-Database-Security GmbH in Neunkirchen, Germany.

Kornbrust distributed an advisory about the vulnerability to the Full Disclosure security mailing list last Monday. The security researcher said he decided to go public with the information about the vulnerability because enough people had already seen Oracle's Metalink note to pose a risk for users of the database.

An Oracle spokeswoman declined to comment about how the exploit code was released. She said the company plans to provide a software fix for the database hole "in a future quarterly patch update," although it won't be in the next set of security patches that Oracle plans to release tomorrow.

To exploit the vulnerability, an attacker would first need to have a user account on an Oracle database. By creating specially crafted queries, users who normally would only be able to read data could change the underlying information in a database. Received on Tue Apr 18 2006 - 02:30:18 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US