Updated Wednesday, April 12 to include a statement from Oracle Corp.
Oracle Corp.'s next critical patch update (CPU) is a week away, but customers of the database giant already have a security hole to worry about -- and this one appears to have been accidentally released by the company itself.
According to Alexander Kornbrust, a well-known database security researcher and business director at German firm Red-Database-Security GmbH, Redwood Shores, Calif.-based Oracle accidentally posted information about the flaw -- including how to exploit it -- on its MetaLink customer support site.
He said the "high-risk, privilege escalation" vulnerability is due to an error in how Oracle Database handles certain specially crafted views created by unprivileged users. He said malicious users who gain "SELECT" privileges could exploit the flaw to insert, update or delete arbitrary data.
The French Security Incident Response Team (FrSIRT), a widely known vulnerability clearinghouse, analyzed the flaw and released its own advisory, labeling the vulnerability a moderate risk.
"Oracle normally criticizes individuals and/or companies for releasing information about Oracle vulnerabilities," he said. "In this case, not only [did] Oracle release detailed information on the vulnerability, but they also included the working exploit code on the MetaLink" site.
An Oracle spokesperson said the company is investigating the incident.
"Oracle is aware that information regarding a security vulnerability was inadvertently posted to MetaLink, Oracle's Web support portal," she said in an e-mail. "We are currently investigating events that led to the posting and plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update."
Until the security hole is patched, Kornbrust offered the following workarounds: