Oracle Server flaw sparks warning

A software security expert warned users of Oracle Server that a software flaw could allow any user to read, modify, and delete data used by Oracle applications; he also says that Oracle may have unwittingly shown hackers how to exploit the previously unknown hole.

Alex Kornbrust of Red-Database-Security said on Monday that an article posted on Oracle's MetaLink knowledge base on Thursday identified an unpatched and previously unknown security hole in Oracle Server Enterprise Edition Version 9.2 to 10.2.0.3 that allows Oracle users with read-only privileges to delete or modify rows of data used by Oracle applications. Sample code published with the knowledgebase article showed Oracle customers how the flaw could be exploited, he said.

In an e-mail statement, an Oracle spokeswoman said the company is aware of the vulnerability Kornbrust identified and is preparing a patch to address it in a future Critical Patch Update (CPU).

Oracle removed the article from MetaLink after being informed of the security threat it posed. However, malicious hackers with access to MetaLink may have already copied the exploit code from the knowledgebase article, said Kornbrust, an expert on Oracle security.

The vulnerability affects an Oracle view called an updatable join view, which allows Oracle customers to dynamically update or delete information in underlying database tables, according to a copy of the knowledgebase article viewed by InfoWorld.

Kornbrust said users with SELECT privileges on a database table, which allows them to read and display data from the table, can instead delete, update, and insert new data into a table using the exploit detailed in Oracle's MetaLink article.

Kornbrust declined to publish details about the exploit, but said it is possible that malicious users may have copied the exploit code from the MetaLink article.

The problem is with Oracle's internal privilege checking routines, Kornbrust said.

The vulnerability will not affect data stored in the Oracle data dictionary, which stores the core information, such as tables of user accounts and database objects, used by the Oracle database. However, the flaw could be used to circumvent user permissions in software applications that rely on Oracle, Kornbrust told InfoWorld.

A malicious hacker would need to be able to log on to the vulnerable Oracle database, but even low level "read only" or guest accounts could be used to insert, update or delete data, he wrote InfoWorld.

"The impact of this on custom applications can be huge and eliminate the entire (user) role concept," he wrote in a post to the Full Disclosure security discussion list.

In an e-mail statement, Oracle's spokeswoman said security is a matter the company takes seriously and stands by the inherent security of its products, but that "we are always working to do better."

Oracle administrators looking for a temporary fix for the problem can remove the CREATE VIEW privilege for low-level accounts, Kornbrust said. That privilege was granted, by default, to user accounts for in versions of Oracle's database up to 10g Rel 2.