Oracle database vulnerable to new attack class

Database security researcher David Litchfield with NGS Software claims to have discovered a new class of security flaw affecting Oracle databases. The flaw could allow attackers to launch an SQL injection attack or steal confidential information. "The sky is not falling but in certain cases the class of attack may expose data to an attacker," Litchfield wrote in an analysis on a company website.

Referred to as 'dangling cursor snarfing', the attack allows a low privilege user to gain administrator access to certain parts of a database, allowing them to either alter the database's content or steal confidential information. The vulnerability occurs when a third party or an Oracle application fails to close so-called cursors in the database. Cursors provide applications developers with a way to fetch and process database information in their software.