Oracle Flaw PoC Releases by Mistake

Tuesday, April 17, 2012 @ 05:04 PM gHale

It is bad enough a company has a security issue with its software, but when they break it down and discover the proof of concept and then accidentally publish it, it just gets worse.

That is exactly what happened to Oracle.

A+ Discovery: Student Finds Zero Day
Socially Engineered Emails a Threat
IT Security: Physical, not Just Cyber
McAfee: Abundant Gaps in Security

It accidentally released a MySQL denial-of-service (DoS) proof of concept in the process of fixing the same problem. In March, the company released updates to MySQL, versions 5.5.22 and 5.1.62, which referred in their changes to “Security Fix: Bug #13510739 and Bug #63775 were fixed” with no other details on the problems.

It is a common practice to keep details quiet about issues an attacker could use against older versions of software; even the bug reports for 13510739 and 63775 are not yet publicly available.

But, as security researcher Eric Romang discovered, Oracle also shipped the new MySQL versions with a development script “mysql-test/suite/innodb/t/innodb_bug13510739.test” in the source which appears to be not only part of the automated testing for MySQL, but also a proof of concept for the flaw which crashes MySQL 5.5.21 and earlier versions.

Romang posted the script on Pastebin, but it requires authenticated access and appropriate privileges to run which mitigates the problem somewhat.

Leave a Reply

You must be logged in to post a comment.