An Oracle database bug that was exploited earlier this month has existed since version 8 of the company’s enterprise database.
Code for hacking into the Oracle database was published on the NTBugtraq website just days after Oracle released its April critical patch update.
However, the update does not fix the specific flaw that the exploit takes advantage of, said David Litchfield, managing director of London-based Oracle security specialist NGS Software. The exploit, which affects the DBMS_Export_Extension package in the database, could let a user gain database administrator privileges with full administrative control over the database server.
Litchfield said, “This flaw goes all the way back to Oracle 8 and is one of the flaws I reported to Oracle. It is incredible that there have been so many problems in DBMS_Export_Extension that Oracle has been unable to fix.”
Litchfield urged database administrators to minimise risk by disabling the affected function to prevent execution of code.
Oracle said that since its critical patch update is tested across product suites, the company is limited in the number of fixes it can include.