Exploited flaw traced as far back as Oracle 8


Exploited flaw traced as far back as Oracle 8

Cliff Saran

An Oracle database bug that was exploited earlier this month has existed since version 8 of the company’s enterprise database.

Code for hacking into the Oracle database was published on the NTBugtraq website just days after Oracle released its April critical patch update.

However, the update does not fix the specific flaw that the exploit takes advantage of, said David Litchfield, managing director of London-based Oracle security specialist NGS Software. The exploit, which affects the DBMS_Export_Extension package in the database, could let a user gain database administrator privileges with full administrative control over the database server.

Litchfield said, “This flaw goes all the way back to Oracle 8 and is one of the flaws I reported to Oracle. It is incredible that there have been so many problems in DBMS_Export_Extension that Oracle has been unable to fix.”

Litchfield urged database administrators to minimise risk by disabling the affected function to prevent execution of code.

Oracle said that since its critical patch update is tested across product suites, the company is limited in the number of fixes it can include.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy