Code is already circulating that exploits a recently patched hole in Oracle database's server.

The Full Disclosure security mailing list posted code that exploits a buffer overflow vulnerability in certain versions of Oracle's databases and could be used by attackers to bring down a database, said Alexander Kornbrust, a business director at Red-Database-Security.

Web applications that work with the database could be tricked into sending malicious database queries using the SQL language, Kornbrust warned.

The exploit could be used either by an attacker who had user credentials on an unpatched database or by a remote attacker, using an SQL injection attack over the Internet, Kornbrust said. "I tried the exploit and it's working," he said. "I highly recommend customers to apply these patches as soon as possible."

Earlier this week, Oracle put out a series of critical security patches for 88 holes in products including its database and application servers and in some PeopleSoft and JD Edwards applications. It recommended applying the patches as soon as possible.

In a statement, Oracle said that versions 9i and 10g of the database software were vulnerable to the bug, but the exploit published on Full Disclosure affects only 10g users, according to Kornbrust.

On Tuesday, Oracle released a bundle of critical security patches that fixed 89 bugs in its database and application servers, as well as some PeopleSoft and J.D. Edwards applications. Oracle releases security patches every three months as part of its security update program.