Oracle accidentally exposes flaw, exploit

A database researcher says details about a high-risk privilege escalation vulnerability were mistakenly posted on Oracle's MetaLink site last week. There's no patch, but there are workarounds.

Updated Wednesday, April 12 to include a statement from Oracle Corp.

Oracle Corp.'s next critical patch update (CPU) is a week away, but customers of the database giant already have a security hole to worry about -- and this one appears to have been accidentally released by the company itself.

According to Alexander Kornbrust, a well-known database security researcher and business director at German firm Red-Database-Security GmbH, Redwood Shores, Calif.-based Oracle accidentally posted information about the flaw -- including how to exploit it -- on its MetaLink customer support site.

More on Oracle security

Oracle releases critical, out-of-cycle patch

Oracle makes Microsoft patching look good

Researcher: Oracle failed to patch critical flaw

Oracle patches 82 critical flaws

In a posting on the Red-Database-Security Web site, Kornbrust said that on April 6, Oracle released a note on the MetaLink site with details about an unpatched flaw and exploit code affecting all versions of Oracle Database, from 9.2.0.0 through 10.2.0.3. He said the note was also displayed in the daily headlines section of the MetaLink site and sent to subscribers of the daily headline section.

He said the "high-risk, privilege escalation" vulnerability is due to an error in how Oracle Database handles certain specially crafted views created by unprivileged users. He said malicious users who gain "SELECT" privileges could exploit the flaw to insert, update or delete arbitrary data.

The French Security Incident Response Team (FrSIRT), a widely known vulnerability clearinghouse, analyzed the flaw and released its own advisory, labeling the vulnerability a moderate risk.

"In this case, not only [did] Oracle release detailed information on the vulnerability, but they also included the working exploit code on the MetaLink" site.
Alexander Kornbrust
Red-Database-Security
After he became aware of it, Kornbrust said he e-mailed Oracle about the posting, and the company then removed the information from MetaLink. On the Red-Database-Security Web site, he criticized the company for doing something for which it usually lashes out at others.

"Oracle normally criticizes individuals and/or companies for releasing information about Oracle vulnerabilities," he said. "In this case, not only [did] Oracle release detailed information on the vulnerability, but they also included the working exploit code on the MetaLink" site.

An Oracle spokesperson said the company is investigating the incident.

"Oracle is aware that information regarding a security vulnerability was inadvertently posted to MetaLink, Oracle's Web support portal," she said in an e-mail. "We are currently investigating events that led to the posting and plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update."

Until the security hole is patched, Kornbrust offered the following workarounds:

  • Sanitize the connect role and remove the CREATE VIEW and CREATE DATABASE LINK privilege from the connect role.
  • Removing the primary key from the base table is an option, though this could cause performance and integrity issues on the application.
  • Dig deeper on Database Security Management

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close