Researcher who found bug says Big Red to patch flaw in Tuesday fix roundup
Clear some time in you diary and drink an extra coffee, sysadmins: a top hacker has warned that Oracle will tomorrow patch a horror bug that needs urgent attention.
Datacom TSS hacker David Litchfield told The Reg he has reported to Oracle that versions of its E-Business suite contain a "major" misconfiguration flaw that allowed anyone to fully compromise the database server.
Litchfield told The Reg that the hole is a "real doozy" that could not be explained by Oracle.
"The technical details are that the PUBLIC role has been granted the INDEX privilege on the DUAL table owned by SYS," Litchfield told Vulture South.
"This allows anyone to create an index on the DUAL table and if they create a function based index that function executes with the privileges of SYS – i.e. the root of all authority on the DB.
"I'm flabbergasted. I'm hoping it was simply done in error and I'll leave the conspiracy theories for others.".
Tomorrow, Oracle are patching 11 flaws I reported to them a while back. Some are critical and one of them I'm just gobsmacked by.
— David Litchfield (@dlitchfield) January 19, 2015
Full Article
See here for full details of the patch update - Oracle Critical Patch Update Pre-Release Announcement - January 2015