April 11, 2006 4:36 PM PDT

Oracle's oops on security flaw

Oracle accidentally let slip details last week on a security flaw it has yet to patch.

The business software giant is usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products. But on April 6, it itself published a note on its MetaLink customer Web site with details about an unfixed flaw, Alexander Kornbrust, an independent researcher who specializes in Oracle security, said on his Web site on Monday.

Oracle confirmed the accidental posting. "Information regarding a security vulnerability was inadvertently posted to MetaLink," a representative for the company said Tuesday. "We are currently investigating events that led to the posting."

The flaw in question affects versions 9.1.0.0 through 10.2.0.3 of Oracle's database software running on any operating system. Not only did the posting reveal details of the vulnerability, it also included computer code to test it, said Kornbrust, who runs Germany's Red Database Security and often hunts for bugs in Oracle products.

The MetaLink posting was taken down. Yet, because of the posting, Kornbrust believes the issue is now public knowledge and the bug information should be shared publicly.

"Database administrators and developers who missed the note on MetaLink should know of this vulnerability, in order to avoid or mitigate the risk, if possible, while waiting for a patch from Oracle," Kornbrust said.

The flaw opens the door to privilege escalation, meaning that database users with limited privileges could take advantage of it to gain more rights. "Depending on the architecture of the application, it is possible to modify data, escalate privileges--for example, change database passwords," Kornbrust wrote.

The vulnerability arises from an error in handling certain "views" created by unprivileged users, according to security analysts at the French Security Incident Response Team. The FrSIRT deems the issue of "moderate risk."

Oracle has no fix publicly available, but the next edition in its regular Critical Patch Update is scheduled for release on Tuesday. "We plan to provide our customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update," the Oracle representative said, but could not say if it would arrive next week.

See more CNET content tagged:
Metalink Ltd., Oracle Corp., security flaw, flaw, vulnerability

2 comments

Join the conversation!
Add your comment
Unbreakable
This doesn't help the unbreakable myth does it?

<a class="jive-link-external" href="http://otherthingsnow.blogspot.com/" target="_newWindow">http://otherthingsnow.blogspot.com/</a>
Posted by SqlserverCode (165 comments )
Reply Link Flag
Old News
Anyone that has used Oracle over the years has lived with both product and security flaws for decades. However, this is not just an Oracle issue. It is a software industry issue. Every single product has security holes and bugs in general. Oracle has chosen to remain silent on security flaws. Others has decided to take different paths. I'm not sure which path is the right one. As long companies remain committed to maturing their software development process to minimize issues and bolster their investment in identifying and remediating issues after their release their product, I guess either path is OK.

The only issue I see is that their Marketing Department needs to rethink how they position their product. Their claims of being more secure than other products is pretty much a flat out lie. Again, Oracle users have known this for years as we've dealt with the hundreds of patches that have been released. Old news.

James.
Posted by James_U (80 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.