Oracle databases open to attack
And the cavalry's not due until next year.
By Gregg Keizer, Computerworld | Published: 02:31, 09 November 2007
Oracle's flagship database software is wide open to attack, due to an unpatchable vulnerability and available exploit code, according to security researchers.
The vulnerability in Oracle Database 10gR2 was disclosed this week by VeriSign's iDefense Labs. Earlier versions of the software may also be at risk, iDefense cautioned.
Symantec has now warned its customers. "The issue affects the 'OWNER' and the 'NAME' parameters of the 'XDB.XDB_PITRIG_PKG.PITRIG_DROP METADATA' procedure," said Symantec. "Specifically, if the combined length of both parameters is excessively large, a buffer will overflow when constructing a SQL query."
An attack requires authentication to the database, but assuming that, a successful exploit could execute code remotely. Proof-of-concept exploit code was posted on the web a week ago.
Oracle claimed it has squashed the bug in the Database 10g code, but it will not issue a patch until its next quarterly Critical Patch Update, which is scheduled for 15 January 2008, both iDefense and Symantec reported.
Because there are no workarounds available in the interim, Symantec recommended that users deploy network intrusion-detection systems (IDS) to monitor traffic for malicious activity, and allow only trusted employees to access the database.