Software vendor accidentally discloses details about database flaw
Oracle is developing a patch for a flaw in its databases after the company accidentally published information about the bug on the Oracle knowledgebase Metalink last week.
The publication by Oracle raised eyebrows within the security community because attackers could use the information to exploit the flaw. The database developer furthermore in the past has been highly critical of hackers who disclosed information about vulnerabilities before the software maker had had a chance to release a patch.
"In this case, not only Oracle released detailed information on the vulnerability; they also included the working exploit code on the Metalink," security vendor Red Database Security noted in an advisory on its website.
Oracle has since removed the information from its website. The company had not, at the time of publication, respond to a request for further information.
The reported flaw affects database versions 9.1.0.0 through 10.2.0.3 on all platforms. It allows users with "SELECT" only privileges to insert, update or delete data via a specially crated view. For custom applications this effectively means that low-privilege users now have the ability to alter data. In some cases they could escalate priviledges and change passwords, Red Database Security warned.
Red Database Security marked the vulnerability "high risk" because it's currently unpatched and details have been made available. Security website Secunia rated the flaw " less critical" because it requires an attacker to have access to the system.
Oracle is developing a patch for a flaw in its databases after the company accidentally published information about the bug on the Oracle knowledgebase Metalink last week.
The publication by Oracle raised eyebrows within the security community because attackers could use the information to exploit the flaw. The database developer furthermore in the past has been highly critical of hackers who disclosed information about vulnerabilities before the software maker had had a chance to release a patch.
"In this case, not only Oracle released detailed information on the vulnerability; they also included the working exploit code on the Metalink," security vendor Red Database Security noted in an advisory on its website.
Oracle has since removed the information from its website. The company had not, at the time of publication, respond to a request for further information.
The reported flaw affects database versions 9.1.0.0 through 10.2.0.3 on all platforms. It allows users with "SELECT" only privileges to insert, update or delete data via a specially crated view. For custom applications this effectively means that low-privilege users now have the ability to alter data. In some cases they could escalate priviledges and change passwords, Red Database Security warned.
Red Database Security marked the vulnerability "high risk" because it's currently unpatched and details have been made available. Security website Secunia rated the flaw " less critical" because it requires an attacker to have access to the system.
Share this page
Email this page
Back to Top
Home
Edit Post
0 comments: