Oracle and a UK security researcher are engaged in a
public war of words after the researcher issued an unofficial patch
against an Oracle application server flaw.
Oracle is warning users not to use a workaround patch written by
David Litchfield, managing director of UK-based Next Generation
Security Software.
Litchfield issued the patch via the BugTraq earlier this month,
after he became impatient about Oracle’s lack of action over the
flaw, which was discovered last October.
Oracle says it was notified of the patch before it was released,
but maintains it is not suitable, as it will have an adverse effect
on a large number of the company’s E-Business Suite applications,
when used with Oracle Application Server.
Litchfield said Oracle had tried to tackle similar flaws in the
application server over the last four years, but claimed these had
never fully worked.
Oracle, which says no exploit code currently exists for the
flaw, is currently still working on an official patch, and claims
Litchfield’s actions will only encourage attackers to try to
exploit the problem.
The vulnerability affects Oracle Application Server, Oracle
Internet Applications Server and Oracle HTTP Server. The
vulnerability relates to the PLSQL gateway, which is a piece of
code that allows web-based users to interact with PLSQL
applications in a back-end database server.
Litchfield said the “critical” flaw allowed an attacker to come
in off the internet without a user ID or password and interact with
the back-end database server, going through all firewalls.
Litchfield took unofficial action to plug the hole after Oracle
did not include a fix in its last round of patching earlier this
month. Oracle is not scheduled to issue any further patches until
its next security round in April.