Oracle has inadvertently alerted hackers to a previously
unknown flaw in its Oracle Server platform and published
information to help them exploit it.
The flaw allows any user to read, modify or delete data used by
Oracle-based applications.
Security researcher Alex Kornbrust, of Red-Database-Security,
reported the problem to Oracle after reading the exploit
information on Oracle's MetaLink knowledge base last week.
The published flaw relates to a previously unknown security hole
in Oracle Server Enterprise Edition Version 9.2 to 10.2.0.3.
The flaw allows Oracle users with read-only privileges to delete
or change data used by Oracle applications.
Kornbrust says sample code published within the knowledge base
article demonstrated to Oracle customers how the flaw could be
exploited.
After being informed of the problem, Oracle removed the article
from MetaLink, but it is feared that hackers may have had time to
read and copy the information, to be used for future attacks on
Oracle customers.
Oracle said it was planning to release a patch to close the
security hole.