Oracle releases, then pulls, zero-day database exploit code

IDG News Service - Oracle Corp. appears to have accidentally released details about an unpatched security vulnerability in its database software, including sample code that could be used to exploit the problem. Details of the vulnerability were published last Thursday in a note that was briefly posted to Oracle's Metalink customer support portal.

The security community learned of the vulnerability early today when researcher Alexander Kornbrust posted an advisory on the situation to the Full Disclosure mailing list. Oracle removed the information on Friday, after being informed of the security risks associated with the Metalink note, said Kornbrust, a business director at Red-Database-Security GmbH, in Neunkirchen, Germany.

Oracle is planning to address the matter, the company said today. "Oracle is aware of information that was posted to Full Disclosure regarding a vulnerability in Oracle Database 9i and Oracle Database 10g. We plan to provide customers a patch that addresses this vulnerability in a future quarterly critical patch update," a company spokeswoman said.

The database vendor's next set of security patches is due on April 18.

In order to exploit the vulnerability, attackers would first need to have an account on the Oracle database, making this vulnerability unlikely to be exploited via the Web. However, by creating specially crafted queries, database users who would normally only be able to read data would be able to change the underlying data.

The vulnerability affects Oracle's database Versions 9.2.0.0 to 10.2.0.3 running on any operating system.

Kornbrust has published a number of work-arounds for the problem, which he does not believe will be patched in Oracle's April security updates. The work-arounds can be found on the Red-Database-Security site.

The security researcher said he decided to go public with the information on the vulnerability because enough people had already seen Oracle's Metalink note that it posed a risk for Oracle users.

It is ironic that the original source of this unpatched exploit, called a zero-day in hacker parlance, was Oracle itself, given Oracle's past criticism of researchers who disclose such vulnerabilities, Kornbrust said. "This time they can't blame security researchers," he said.

Oracle had no comment on how it came to release this sensitive information, but Kornbrust speculated that happened because of a mistake by the vendor's support organization.

"It looks to me like someone from Oracle support found information about this bug, and he was not aware that it was a security issue," he said. "I think the poor guy who published this information did this in context of helping people."

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.