Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

Exploit circulating for newly patched Oracle bug

By Robert McMillan , IDG News Service , 10/20/2005
  • Share/Email
  • Tweet This
  • Comment
  • Print

Database administrators now have a little added incentive to install Oracle's latest security patches , released earlier this week. Malicious software is now circulating that can crash an unpatched database server, and one security expert predicted that more malware targeting the 89 recently patched vulnerabilities is on the way.

On Thursday, code was published on the Full Disclosure security mailing list that exploits a buffer overflow vulnerability in certain versions of Oracle's databases.

This code could be used by attackers to bring down a database, using a technique called an SQL injection attack, said Alexander Kornbrust, a business director at Red-Database-Security, in Neunkirchen, Germany. In SQL injection attacks, Web applications that work with the database are tricked into sending malicious database queries using the SQL language.

The exploit could be used either by an attacker who had user credentials on an unpatched database or by a remote attacker, using an SQL injection attack over the Internet, Kornbrust said. "I tried the exploit and it's working," he said in an interview conducted via instant message. "I highly recommend customers to apply these patches as soon as possible."

In a statement, Oracle said that versions 9i and 10g of the database software were vulnerable to the bug, but the exploit published on Full Disclosure affects only 10g users, according to Kornbrust.

On Tuesday, Oracle released a bundle of critical security patches that fixed 89 bugs in its database and application servers, as well as some PeopleSoft and J.D. Edwards applications. Oracle releases security patches every three months as part of its security update program.

Normally, a few exploits begin circulating after each Oracle security update, Kornbrust said.

The buffer overflow vulnerability is described as vulnerability number DB27 on this page .

The Full Disclosure exploit code can be found here .

Oracle did not respond to requests for comment on this story.

  • Share/Email
  • Tweet This
  • Comment
  • Print

Partner Content

Gartner 2009 Magic Quadrant for Job Scheduling

Gartner has positioned BMC CONTROL-M in the Leaders Quadrant of their "2009 Magic Quadrant for Job Scheduling." The report assesses the ability to execute and completeness of vision of key vendors in the marketplace. Read a full copy today, courtesy of BMC Software.

Download whitepaper

Dell's SMART Approach to Workload Automation

Read a compelling case study by EMA, Inc. to learn how Dell uses BMC CONTROL-M to cut cost and increase productivity with workload automation.

Download whitepaper

Workload Automation Cost Savings 2 Minute Video

A major computer manufacturer uses BMC CONTROL-M and just four people to schedule and run over 85,000 jobs every month. By switching to BMC CONTROL-M, they more than quadrupled the workload without adding a single staff member.  See how in this 2-minute video overview.

Go to video

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed