Oracle and a UK security researcher are engaged in a public war of words after the researcher issued an unofficial patch against an Oracle application server flaw.
Oracle is warning users not to use a workaround patch written by David Litchfield, managing director of UK-based Next Generation Security Software.
Litchfield issued the patch via the BugTraq earlier this month, after he became impatient about Oracle’s lack of action over the flaw, which was discovered last October.
Oracle says it was notified of the patch before it was released, but maintains it is not suitable, as it will have an adverse effect on a large number of the company’s E-Business Suite applications, when used with Oracle Application Server.
Litchfield said Oracle had tried to tackle similar flaws in the application server over the last four years, but claimed these had never fully worked.
Oracle, which says no exploit code currently exists for the flaw, is currently still working on an official patch, and claims Litchfield’s actions will only encourage attackers to try to exploit the problem.
The vulnerability affects Oracle Application Server, Oracle Internet Applications Server and Oracle HTTP Server. The vulnerability relates to the PLSQL gateway, which is a piece of code that allows web-based users to interact with PLSQL applications in a back-end database server.
Litchfield said the “critical” flaw allowed an attacker to come in off the internet without a user ID or password and interact with the back-end database server, going through all firewalls.
Litchfield took unofficial action to plug the hole after Oracle did not include a fix in its last round of patching earlier this month. Oracle is not scheduled to issue any further patches until its next security round in April.