[Infowarrior] - Oracle's oops on security flaw

Richard Forno rforno at infowarrior.org
Tue Apr 11 20:14:45 EDT 2006


Oracle's oops on security flaw

By Joris Evers
http://news.com.com/Oracles+oops+on+security+flaw/2100-1002_3-6060128.html

Story last modified Tue Apr 11 16:57:46 PDT 2006

advertisement

Oracle accidentally let slip details last week on a security flaw it has yet
to patch.

The business software giant is usually secretive about security and critical
of researchers who publicly discuss flaws in Oracle products. But on April
6, it itself published a note on its MetaLink customer Web site with details
about an unfixed flaw, Alexander Kornbrust, an independent researcher who
specializes in Oracle security, said on his Web site on Monday.

Oracle confirmed the accidental posting. "Information regarding a security
vulnerability was inadvertently posted to MetaLink," a representative for
the company said Tuesday. "We are currently investigating events that led to
the posting."

The flaw in question affects versions 9.1.0.0 through 10.2.0.3 of Oracle's
database software running on any operating system. Not only did the posting
reveal details of the vulnerability, it also included computer code to test
it, said Kornbrust, who runs Germany's Red Database Security and often hunts
for bugs in Oracle products.

The MetaLink posting was taken down. Yet, because of the posting, Kornbrust
believes the issue is now public knowledge and the bug information should be
shared publicly.

"Database administrators and developers who missed the note on MetaLink
should know of this vulnerability, in order to avoid or mitigate the risk,
if possible, while waiting for a patch from Oracle," Kornbrust said.

The flaw opens the door to privilege escalation, meaning that database users
with limited privileges could take advantage of it to gain more rights.
"Depending on the architecture of the application, it is possible to modify
data, escalate privileges--for example, change database passwords,"
Kornbrust wrote.

The vulnerability arises from an error in handling certain "views" created
by unprivileged users, according to security analysts at the French Security
Incident Response Team. The FrSIRT deems the issue of "moderate risk."

Oracle has no fix publicly available, but the next edition in its regular
Critical Patch Update is scheduled for release on Tuesday. "We plan to
provide our customers a patch that addresses this vulnerability in a future
quarterly Critical Patch Update," the Oracle representative said, but could
not say if it would arrive next week.


Copyright ©1995-2006 CNET Networks, Inc. All rights reserved.





More information about the Infowarrior mailing list