A security expert has warned that a vulnerability on Oracle Server could allow all users to read, modify, and delete data.
Alex Kornbrust of Red-Database-Security said that an unpatched and previously unknown security hole in Oracle Server Enterprise Edition Version 9.2 to 10.2.0.3 permits Oracle users with read-only privileges to delete or modify rows of data used by Oracle applications. Sample code published on Oracle's knowledgebase web pages showed Oracle customers how the flaw could be exploited, he said.
An Oracle spokeswoman said the company is aware of the vulnerability Kornbrust identified and is preparing a patch to address it in a future Critical Patch Update (CPU).
Oracle removed the article from knowledgebase after being informed of the security threat it posed. However, malicious hackers with access to MetaLink may have already copied the exploit code from the knowledgebase article, said Kornbrust, an expert on Oracle security.
The vulnerability affects an Oracle view called an updatable join view, which allows Oracle customers to dynamically update or delete information in underlying database tables.
Kornbrust said users with SELECT privileges on a database table, which allows them to read and display data from the table, can instead delete, update, and insert new data into a table using the exploit.
The vulnerability will not affect data stored in the Oracle data dictionary, which stores the core information, such as tables of user accounts and database objects, used by the Oracle database. However, the flaw could be used to circumvent user permissions in software applications that rely on Oracle, said Kornbrust.
A malicious hacker would need to be able to log on to the vulnerable Oracle database, but even low level "read only" or guest accounts could be used to insert, update or delete data, he said.
"The impact of this on custom applications can be huge and eliminate the entire (user) role concept," he wrote in a post to the Full Disclosure security discussion list.
Oracle's spokeswoman said security is a matter the company takes seriously and stands by the inherent security of its products, but that "we are always working to do better."
Oracle administrators looking for a temporary fix for the problem can remove the CREATE VIEW privilege for low-level accounts, Kornbrust said. That privilege was granted, by default, to user accounts in versions of Oracle's database up to 10g Rel 2.