Brent Huston, chief executive of security testing company MicroSolved, said even if a company prevents Internet access to a vulnerable database, the data is still at risk of an attack from the inside.

"Oracle's choice to lock this patch to an upgrade really forces the hand of those organizations with longer technology refresh periods and puts a lot of strain on the trust relationships they have with Oracle as a vendor," Huston said in an email.

Because of the vulnerability, customers that haven't upgraded their databases will have to implement some form of protection, particularly if they are subject to oversight by regulators, Huston said.

Fayo discovered the vulnerability after noticing that the client and server handled logins with incorrect passwords differently. A closer examination led to the discovery.

Fayo discussed the vulnerability Thursday at the Ekoparty Security Conference.