Vendors typically frown upon the premature publication of vulnerability and exploit information and usually its the discoverer who is the source of the leak. But last week Oracle was the source of a leak about a vulnerability, including a working exploit, in its popular Oracle Database server product.
In a message posted to the Full Disclosure mailing list, Alexander Kornburst, CEO and Business Director at Red Database Security, said that Jens Flasche informed him that on April 6 Oracle posted "details about an unfixed vulnerability and working test case" on its Metalink portal. The portal is used to provide customers with immediate access to technical support and product information.
Kornbrust said the "working test case" equates to a usable exploit that affects all versions of Oracle Database from 188.8.131.52 to 10.2.0.3. The vulnerability is that a user with "SELECT Object Privilege" on base tables can delete rows from a view, and according to Kornbrust it might be possible to also insert and update data or escalate privileges. Oracle is working on a patch for the problem.
"After noticing the \[information online at Metalink\] I informed \[Oracle's security staff\] that releasing such information on Metalink is not a wise idea. Oracle normally criticizes individuals and/or companies for releasing information about Oracle vulnerabilities \[...\] In this case, not only \[did Oracle release\] detailed information on the vulnerability they also included the working exploit code on \[the Metalink site\]."
Kornbrust said the information was removed soon after he contacted Oracle about posting the information on Metalink. Kornbrust added that since the information was made available on Metalink that he considers the vulnerability to now be public knowledge. He subsequently decided to post information about the vulnerability so that administrators could try to mitigate the risks while waiting on a patch for Oracle. Workaround information is available at the Red Database Security Web site. The company specializes in security services and solutions for Oracle Database.