Researcher Details New Oracle Zero-Day Bug - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:21 PM

Researcher Details New Oracle Zero-Day Bug

A longtime critic of Oracle says the bug can be exploited by an attacker to grab complete control of an Oracle database server via a compromised Web server.

Oracle has taken another hit as a long-time critic of the company's security practices outlined a new unpatched vulnerability at the Black Hat Federal 2006 conference in Washington, D.C.

British security researcher David Litchfield, the managing director of U.K.-based Next Generation Security Software, gave a presentation on the zero-day vulnerability Wednesday at Black Hat, then posted a brief description of the problem to the Bugtraq and Full Discloser security mailing lists.

The flaw, which Litchfield called "critical," lies in the Oracle PLSQL Gateway, a component of several Oracle products, including Application Server and HTTP Server. The bug, he added, can be exploited by an attacker to grab complete control of an Oracle database server via the compromised Web server.

Litchfield, who has been criticized by Oracle in the past for releasing vulnerability information prior to patches being posted, said that the flaw was first reported to Oracle on Oct. 26, 2005. It's not uncommon for months to pass, and in some cases years, before Oracle patches a known bug.

"On November 7 NGS alerted NISCC to the problem. It was hoped that due to the severity of the problem that Oracle would release a fix or a workaround for this in the January 2006 Critical Patch Update. They failed to do so," wrote Litchfield in the Full Disclosure entry.

The London-based NISCC (National Infrastructure Security Co-ordination Centre) is a government agency somewhat like US-CERT; like that part of the Department of Homeland Security, NISCC is responsible for defending the U.K. against electronic attack.

In lieu of a patch -- Oracle's most recent critical update package, which fixed 82 other bugs in the Redwood Shores, Calif. database software maker's product line, did not address this flaw, Litchfield offered a workaround composed of a four-line addition to the configuration file of the Web server.

"I don't think leaving their customers vulnerable for another 3 months (or perhaps even longer) until the next CPU [Critical Patch Update] is reasonable especially when this bug is so easy to fix and easy to workaround," Litchfield wrote. "Again, I urge all Oracle customers to get on the phone to Oracle and demand the respect you paid for."

Litchfield essentially seconded the recent opinion of Gartner analyst Rich Mogull, who bashed Oracle on much the same grounds.

Ironically, Litchfield was one of several researchers credited with finding flaws that led to the patches Oracle released last week.

Oracle did not immediately return a call for comment.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
10 Top Cloud Computing Startups
Cynthia Harvey, Freelance Journalist, InformationWeek,  8/3/2020
How Enterprises Can Adopt Video Game Cloud Strategy
Joao-Pierre S. Ruth, Senior Writer,  7/28/2020
Conversational AI Comes of Age
Guest Commentary, Guest Commentary,  8/7/2020
Register for InformationWeek Newsletters
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll