"Oracle's choice to lock this patch to an upgrade really forces the hand of those organizations with longer technology refresh periods and puts a lot of strain on the trust relationships they have with Oracle as a vendor," Huston said in an email.
Because of the vulnerability, customers that haven't upgraded their databases will have to implement some form of protection, particularly if they are subject to oversight by regulators, Huston said.
Fayo discovered the vulnerability after noticing that the client and server handled logins with incorrect passwords differently. A closer examination led to the discovery.
Fayo discussed the vulnerability Thursday at the Ekoparty Security Conference.
Oracle has battled with database flaws in the past. In January, InfoWorld uncovered a manual method to change the system change number (SCN), which could break the database. The SCN is a kind of time stamp for every transaction. If a database reaches its transaction limit, it could stop working properly.
Read more about application security in CSOonline's Application Security section.