Oracle Corp.'s most recent patch release failed to address a critical flaw that attackers could exploit to access "excluded" packages and procedures.
David Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., issued that warning and offered a workaround this week via the BugTraq forum operated by Cupertino, Calif.-based AV giant Symantec Corp.
"There's a critical flaw in the Oracle PLSQL Gateway, a component of iAS, OAS and the Oracle HTTP Server, that allows attackers to bypass the PLSQLExclusion list and gain access to 'excluded' packages and procedures," Litchfield said. "This can be exploited by an attacker to gain full DBA control of the back-end database server through the Web server."
He said the flaw was reported to Oracle Oct. 26 and that on Nov. 7, NGS alerted the UK's National Infrastructure Security Co-ordination Centre (NISCC). "It was hoped that due to the severity of the problem that Oracle would release a fix or a workaround for this in the January 2006 Critical Patch Update," he said. But the vendor "failed to do so."
He added, "I don't think leaving their customers vulnerable for another three months (or perhaps even longer) until the next [critical patch update] is reasonable, especially when this bug is so easy to fix and easy to work around.
"Again, I urge all Oracle customers to get on the phone to Oracle and demand the respect you paid for."
Oracle e-mailed SearchSecurity.com a statement Thursday afternoon, saying it is currently developing a patch that addresses the vulnerability and intends to issue it in a future quarterly patch update.
"We are disappointed that Litchfield, in an apparent violation of NGS Software's disclosure policy, published a workaround for the vulnerability," Oracle said. "Information provided in a workaround may be used to develop exploits for the identified vulnerability. Additionally, Oracle has determined that the workaround provided by Litchfield can break application functionality on certain systems."
Full details of that workaround can be found in the BugTraq listing. But Danish vulnerability clearinghouse Secunia described it this way in an advisory: "Filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities."
This isn't the first time that Litchfield has criticized Oracle's security policies. He has taken the Redwood Shores, Calif.-based database giant to task on several occasions in recent years. He did so following Oracle's July 2005 patch release, when he said some of the fixes didn't actually work. He offered similar criticism after Oracle's October 2005 patching cycle.
This story also appears at SearchSecurity.com, part of the TechTarget network.