Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Oracle Posts Exploit Code for Database Flaw
http://www.computerworld.com/databasetopics/data/software/story/0,10801,110521,00.html
wrote:
APRIL 17, 2006 (COMPUTERWORLD) - Oracle Corp. appears to have
accidentally released details about an unpatched security vulnerability
in its database software, including sample code for exploiting the
flaw.
The information about the vulnerability was included in a note that was
briefly posted on Oracle 's MetaLink customer support portal on April
6.
Oracle removed the information the next day after being informed of the security risks, said Alexander Kornbrust, a business director at Red-Database-Security GmbH in Neunkirchen, Germany.
Kornbrust distributed an advisory about the vulnerability to the Full Disclosure security mailing list last Monday. The security researcher said he decided to go public with the information about the vulnerability because enough people had already seen Oracle's Metalink note to pose a risk for users of the database.
An Oracle spokeswoman declined to comment about how the exploit code was released. She said the company plans to provide a software fix for the database hole "in a future quarterly patch update," although it won't be in the next set of security patches that Oracle plans to release tomorrow.
To exploit the vulnerability, an attacker would first need to have a user account on an Oracle database. By creating specially crafted queries, users who normally would only be able to read data could change the underlying information in a database. Received on Tue Apr 18 2006 - 02:30:18 CDT