Oracle accidentally releases exploit code

Oracle appears to have accidentally released details about an unpatched security vulnerability in its database software, including sample code that could be used to exploit the problem. Details of the vulnerability were published last Thursday in a note that was briefly posted to Oracle's Metalink customer support portal.

The security community learned of the vulnerability early Monday when researcher Alexander Kornbrust posted an advisory on the situation to the Full Disclosure mailing list. Oracle removed the information on Friday, after being informed of the security risks associated with the Metalink note, said Kornbrust, a business director at Red-Database-Security, in Neunkirchen, Germany.

Oracle is planning to address the matter, the company said Monday. "Oracle is aware of information that was posted to Full Disclosure regarding a vulnerability in Oracle Database 9i and Oracle Database 10g. We plan to provide customers a patch that addresses this vulnerability in a future quarterly Critical Patch Update," a company spokeswoman said Monday.

The database vendor's next set of security patches is due on April 18.

In order to exploit the problem, attackers would first need to have an account on the Oracle database, making this problem unlikely to be exploited via the Web. However, by creating specially crafted queries, database users who would normally only be able to read data would be able to change the underlying data.

The vulnerability affects Oracle's database version 9.2.0.0 to 10.2.0.3 running on any operating system.

Kornbrust has published a number of work-arounds for the problem, which he does not believe will be patched in Oracle's April security updates. These work-arounds can be found at http://www.red-database-security.com/advisory/oracle_modify_data_via_views.html.

The security researcher said he decided to go public with the information on the vulnerability because enough people had already seen Oracle's Metalink note that it posed a risk for Oracle users.

It is ironic that the original source of this unpatched exploit, called a 0day in hacker parlance, was Oracle itself, given Oracle's past criticism of researchers who disclose such vulnerabilities, Kornbrust said. "This time they can't blame security researchers," he said.

Oracle had no comment on how it came to release this sensitive information, but Kornbrust speculated that it was due to a mistake by their support organization. "It looks to me like someone from Oracle support found information about this bug and he was not aware that it was a security issue," he said. "I think the poor guy who published this information did this in context of helping people."