Oracle has inadvertently alerted hackers to a previously unknown flaw in its Oracle Server platform and published...
information to help them exploit it.
The flaw allows any user to read, modify or delete data used by Oracle-based applications.
Security researcher Alex Kornbrust, of Red-Database-Security, reported the problem to Oracle after reading the exploit information on Oracle's MetaLink knowledge base last week.
The published flaw relates to a previously unknown security hole in Oracle Server Enterprise Edition Version 9.2 to 10.2.0.3.
The flaw allows Oracle users with read-only privileges to delete or change data used by Oracle applications.
Kornbrust says sample code published within the knowledge base article demonstrated to Oracle customers how the flaw could be exploited.
After being informed of the problem, Oracle removed the article from MetaLink, but it is feared that hackers may have had time to read and copy the information, to be used for future attacks on Oracle customers.
Oracle said it was planning to release a patch to close the security hole.