Oracle, the leading database software company, unexpectedly revealed details about an unpatched security vulnerability in its products last weekend.
Traditionally, Oracle tends to keep security flaws and the identities of the researchers who discover these vulnerabilities confidential. However, Alexander Kornbrust, an expert specializing in Oracle security issues, stated that on April 6, Oracle disclosed details about an unpatched security vulnerability.
Oracle confirmed the surprise in releasing the specifics of this security flaw. “The information related to the security vulnerability has been unexpectedly disclosed,” a representative from Oracle said. “We are currently investigating this matter.”
The security vulnerability primarily affects Oracle database software versions from 9.1.0.0 to 10.2.0.3 operating on any operating system.
In addition to revealing details about the security flaw, Kornbrust noted that it also included snippets of code for testing the vulnerability.
The link to detailed information about this security flaw has been removed. However, since it has been specifically disclosed, it is certain that information regarding this security vulnerability has been widely disseminated.
This security vulnerability could be exploited to escalate access to the database. This means that users with limited access to the database could leverage this vulnerability to gain additional rights. “Depending on the architecture of the application, access escalation could allow for broader access, potentially even altering data – for example, changing the database password,” Kornbrust explained.
The vulnerability arises from an error in processing “views” for certain users with restricted access. This security flaw is currently rated as normal severity.
Oracle has not yet released a patch to address this security flaw. However, a security patch scheduled for release yesterday was expected to include a fix for this vulnerability.
Hoàng Dũng
