Critical patch released by Oracle

The fix, issued as part of the Redwood Shores, Cal., company's quarterly patch release program, provides a default account and password checking utility that helps customers secure certain default database accounts, according to Oracle.

Imperva discovered and reported the vulnerability in October, the data security firm said today.

"The standard authentication mechanism requires a client to supply a valid pair of user name and password," said Imperva in a statement.

"During the login process (before the flaw was corrected), an Oracle user with no more than 'create session' privileges can execute commands in the context of the special database under SYS. This grants any user the highest administrative privileges possible."

An Oracle spokeswoman could not immediately be reached for comment.

Imperva today said delaying the release of a patch is not practical for most companies.

"It took over two months for a patch to be released to address this critical vulnerability,'' Imperva said. "While the complexity of modern database platforms may necessitate such delays, they are not acceptable for companies who rely on databases to run their business."

Imperva suggested users implement a database security gateway, which detects possible attacks by analyzing messages going from clients to server.

"Such products have the capability to provide protection against platform-level vulnerabilities in the timeframes of hours or days after a new vulnerability is discovered," Imperva said.

Meanwhile, Ron Ben-Natan, chief technology officer at database security company Guardium, emphasized the importance of today's Oracle update.

"Database managers should apply basic security practices like installing these patches, while proactively monitoring for anomalous database activity from both insiders and outsiders,'' said Ben-Natan. "Many of the CPUs protect against attacks on the availability of the database, which makes them even more important to apply."