In a terse but strongly worded advisory released to customers last week, Oracle said a software flaw in its Oracle 11i E-Business Suite and its Oracle Applications 11.0 could let an attacker take control of the database that powers the programs.
"Risk of exposure is high, as any user with browser access and specialized knowledge can exploit" the flaw, Oracle said in the advisory. The company would not provide details. Oracle has released a patch for the problem and urged customers to update their systems.
Security information provider Secunia rated the vulnerability as "highly critical," its second highest rating.
The vulnerability was discovered by Stephen Kost, chief technology officer for Integrigy, a company focused on creating software to secure critical corporate applications. Integrigy's own advisory jibed with Oracle's on the ease with which the flaw could be exploited.
"Since attacks can be specially crafted for Oracle Applications and an attack may only be a single (HTTP, or Hypertext Transfer Protocol, request), successful attacks can be easily designed that will evade most intrusion detection and prevention systems," Integrigy said in its advisory.
Early last year, Integrigy released its application security product, AppSentry, for Oracle's E-Business Suite. A year ago, the company also published information on two other flaws in the same Oracle product.
