Oracle database vulnerable to new attack class

Database security researcher David Litchfield with NGS Software claims to have discovered a new class of security flaw affecting Oracle databases.

The flaw could allow attackers to launch an SQL injection attack or steal confidential information.

"The sky is not falling but in certain cases the class of attack may expose data to an attacker," Litchfield wrote in an analysis on a company website (PDF download).

Referred to as 'dangling cursor snarfing', the attack allows a low privilege user to gain administrator access to certain parts of a database, allowing them to either alter the database's content or steal confidential information. The vulnerability occurs when a third party or an Oracle application fails to close so-called cursors in the database. Cursors provide applications developers with a way to fetch and process database information in their software.

If a cursor is created by higher privileged code and left open, an attacker with low privileges could essentially take over the higher privileged role.

The vulnerability requires proper coding practices by developers. Oracle won't be able to issue a patch, Litchfield said.

Application developers can protect themselves against the flaw by properly closing cursors. Litchfield also recommended that users perform strict input validation on what is entered into data.

Oracle said that the company is currently investigating the claims in Litchfield's report and plans to provide customers information on how to protect themselves at a later stage.

Security researchers are increasingly scrutinising Oracle's database. The company's security practices have fallen behind the latest attack trends, Litchfield alleged in an interview last week.

Security firm Argeniss is planning to have a Week of Oracle Database Bugs in December to demonstrate the vendor's poor security record.