3 min read

Researcher Details New Oracle Zero-Day Bug

A longtime critic of Oracle says the bug can be exploited by an attacker to grab complete control of an Oracle database server via a compromised Web server.
Oracle has taken another hit as a long-time critic of the company's security practices outlined a new unpatched vulnerability at the Black Hat Federal 2006 conference in Washington, D.C.

British security researcher David Litchfield, the managing director of U.K.-based Next Generation Security Software, gave a presentation on the zero-day vulnerability Wednesday at Black Hat, then posted a brief description of the problem to the Bugtraq and Full Discloser security mailing lists.

The flaw, which Litchfield called "critical," lies in the Oracle PLSQL Gateway, a component of several Oracle products, including Application Server and HTTP Server. The bug, he added, can be exploited by an attacker to grab complete control of an Oracle database server via the compromised Web server.

Litchfield, who has been criticized by Oracle in the past for releasing vulnerability information prior to patches being posted, said that the flaw was first reported to Oracle on Oct. 26, 2005. It's not uncommon for months to pass, and in some cases years, before Oracle patches a known bug.

"On November 7 NGS alerted NISCC to the problem. It was hoped that due to the severity of the problem that Oracle would release a fix or a workaround for this in the January 2006 Critical Patch Update. They failed to do so," wrote Litchfield in the Full Disclosure entry.

The London-based NISCC (National Infrastructure Security Co-ordination Centre) is a government agency somewhat like US-CERT; like that part of the Department of Homeland Security, NISCC is responsible for defending the U.K. against electronic attack.

In lieu of a patch -- Oracle's most recent critical update package, which fixed 82 other bugs in the Redwood Shores, Calif. database software maker's product line, did not address this flaw, Litchfield offered a workaround composed of a four-line addition to the configuration file of the Web server.

"I don't think leaving their customers vulnerable for another 3 months (or perhaps even longer) until the next CPU [Critical Patch Update] is reasonable especially when this bug is so easy to fix and easy to workaround," Litchfield wrote. "Again, I urge all Oracle customers to get on the phone to Oracle and demand the respect you paid for."

Litchfield essentially seconded the recent opinion of Gartner analyst Rich Mogull, who bashed Oracle on much the same grounds.

Ironically, Litchfield was one of several researchers credited with finding flaws that led to the patches Oracle released last week.

Oracle did not immediately return a call for comment.