Patch/Configuration Management, Vulnerability Management

Firm: Oracle released flaw info by mistake

Share

Oracle, with its next scheduled patch release now a week away, unintentionally released information about a new privilege escalation security hole on a company website last week.

The Redwood Shores, Calif., database giant released a note on its customer-only Metalink site with the subject, "A user with select object privilege on base tables can delete rows from a view," according to the Red Database Security website.

Alexander Kornbrust of Red Database said Tuesday that the alert was removed from Oracle's site shortly after he contacted the company about it.

"After noticing the note, I informed Oracle secalert that releasing such information on Metalink is not a wise idea. Oracle normally criticizes individuals or companies for releasing information about Oracle vulnerabilities," he said on Red Database's website. "In this case, not only (did) Oracle release detailed information on the vulnerability, they also included the working exploit code on the Metalink website."

An Oracle representative could not immediately be reached for comment. The company's next Critical Patch Update is scheduled for next Tuesday.

The flaw exists in Oracle Database versions 9.1.0.0 to 10.2.0.3, according to Red Database. Christian Lkeinewachter and Swen Thummler from Infinity3 GmbH reported the bug to Oracle on Feb. 24, according to the advisory.

Oracle released patches for 82 flaws in a number of its products – including Oracle Database – in its January release and more than 80 in its October release.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.