Exploit circulating for newly patched Oracle bug
It can crash an unpatched database server
IDG News Service - Database administrators now have an added incentive to install Oracle Corp.'s latest security patches, which were released earlier this week. Malicious software is circulating that can crash an unpatched database server, and one security expert predicted that more malware targeting the 89 recently patched vulnerabilities is on the way.
Yesterday , code was published on the Full Disclosure security mailing list that exploits a buffer overflow vulnerability in certain versions of Oracle's databases.
The code could be used by attackers to bring down a database, using a technique called a SQL injection attack, said Alexander Kornbrust, a business director at Red-Database-Security GmbH in Neunkirchen, Germany. In SQL injection attacks, Web applications that work with the database are tricked into sending malicious database queries using the SQL language.
The exploit could be used either by an attacker who had user credentials on an unpatched database or by a remote attacker, using a SQL injection attack over the Internet, Kornbrust said. "I tried the exploit, and it's working," he said in an interview conducted via instant message. "I highly recommend customers to apply these patches as soon as possible."
In a statement, Oracle said that Versions 9i and 10g of the database software were vulnerable to the bug, but the exploit published on Full Disclosure affects only 10g users, according to Kornbrust.
On Tuesday, Oracle released a bundle of critical security patches that fixed 89 bugs in its database and application servers, as well as some PeopleSoft and J.D. Edwards applications (see "Oracle patches 89 holes with quarterly security update"). Oracle releases security patches every three months as part of its security update program.
Normally, a few exploits begin circulating after each Oracle security update, Kornbrust said.
The buffer overflow vulnerability is described as vulnerability No. DB27.
Oracle did not respond to requests for comment on this story.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Establishing a Strategy for Database Security is No Longer Optional
- The options for securing increasingly valuable databases are very broad and deep, and can be confusing. This research provides an overview of three...
- Driving Secure Enterprise File Sharing and Syncing in the Enterprise
- GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
- The Enterprise File Sharing Option
- Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
- Activities Streams Base An Integrated Social Layer
- The enterprise social software market is exploding thanks to converging trends of consumerization, cloud, and mobile. In this must-read report, "The Forrester Wave:...
- Converged Infrastructure for Dummies
- As you know, everything is mobile, connected, interactive, and immediate. This is exactly why organizations need a highly agile IT infrastructure in order... All Applications White Papers
- Delivery Management -- Extending Lifecycle Management
- Date: Wednesday, June 20, 2012, 1:00 PM EDT
Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs,... - Leverage automation today to reduce IT complexity
- Date: Tuesday, June 5, 2012, 2:00 PM EDT
Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific... - BMC Control-M - Single Point of Control Demo
- With BMC Control-M, you schedule and manage everything - down to the very last platform and application - from one simple interface. It's...
- Operational Analytics - Changing the Competitive Dynamics of the Business
- Date/Time: June 5, 2012, 11:00 a.m., EDT, 4:00 p.m. BST / 3:00 p.m. UTC
Please join us for this webcast, as Dr. Barry... - Oracle Database Appliance Best Practices
- Business users increasingly demand 24x7 availability of their data while IT departments face the challenge of ensuring maximum availability while operating with limited... All Applications Webcasts