News

Exploited flaw traced as far back as Oracle 8

An Oracle database bug that was exploited earlier this month has existed since version 8 of the company’s enterprise database.

Code for hacking into the Oracle database was published on the NTBugtraq website just days after Oracle released its April critical patch update.

However, the update does not fix the specific flaw that the exploit takes advantage of, said David Litchfield, managing director of London-based Oracle security specialist NGS Software. The exploit, which affects the DBMS_Export_Extension package in the database, could let a user gain database administrator privileges with full administrative control over the database server.

Litchfield said, “This flaw goes all the way back to Oracle 8 and is one of the flaws I reported to Oracle. It is incredible that there have been so many problems in DBMS_Export_Extension that Oracle has been unable to fix.”

Litchfield urged database administrators to minimise risk by disabling the affected function to prevent execution of code.

Oracle said that since its critical patch update is tested across product suites, the company is limited in the number of fixes it can include.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy