A German security researcher has taker the unusual step of disclosing six serious security vulnerabilities in Oracle products, as a way of publicizing the company's alleged failure to fix the problems.
The bugs -- reported to Oracle as long as two years ago -- affect Oracle Reports and Oracle Forms, both widely used enterprise tools, and could allow attackers to execute malicious commands, disclose information, overwrite files or conduct cross site scripting attacks.
Alexander Kornbrust of Red Database Security, who disclosed the flaws, provided detailed instructions on exploiting most of the flaws, as well as work-arounds for protecting themselves until patches are released.
Kornbrust's advisories, with work-around instructions, can be found on Red Database Security's Web site, here: http://www.red-database-security.com/advisory/published_alerts.html.
Oracle has suffered criticism in the past over its slow handling of serious flaws, leading to its current quarterly update system. However, it seems the database giant still has a backlog on its hands: Kornbrust said he originally told Oracle of the bugs between 663 days and 718 days ago.
Three months ago Kornbrust told Oracle he would publish the details if a patch wasn't published with the July 2005 security update. "I know that Oracle products are complex and a good patch quality need some time. That's why I offered Oracle additional time if 3 months are not sufficient for fixing the bugs. Oracle never asked for more time," Kornbrust said in a message to the BugTraq security mailing list.
He said the delay was "not acceptable" and put customers at risk. "At least one critical vulnerability can be abused from any attacker via internet. I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the work-arounds provided in the advisories," he wrote.
The bugs are all input validation errors. The Oracle Forms flaw involves a problem with processing a specially crafted "form" or "module" parameter, which could allow a user to upload a forms executable and run commands with System or Oracle privileges. Kornbrust said the flaw was "high risk."
The remaining flaws are input validation bugs in Oracle Reports parameters, allowing an attacker to overwrite files, disclose file content, or run malicious commands and scripting code. Kornbrust said they range from "medium risk" to "high risk."
An advisory from FrSIRT, the French Security Incident Response Team, ranked the flaws as "high risk."
Oracle said in a statement it was "disappointed" when vulnerability information is disclosed ahead of a patch, as this could put users at risk. The company said it takes security seriously. When contacted by Techworld, the company declined to make further comment.