Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: security bug - join syntax

RE: security bug - join syntax

From: Eric D. Pierce <>
Date: Mon, 22 Jul 2002 02:38:20 -0800
Message-ID: <>

re: Bug 2121935

---metalink excerpts---

Doc ID: 190077.1

List of Bugs fixed in Oracle9i Release 2 base release (

This is a listing of the main bugs fixed in the Oracle9i Release 2 base release. The bugs are listed in categories related to the product area and/or symptom of the bug. A bug may be listed in more than one section.

Bug Fixes by Category


2121935* User Privileges Vulnerability in Oracle9i Database Server


 <Bug:2121935> * Fixed: 9201
 This problem is introduced in Oracle9i (9.0.1).  There is a user privileges vulnerability in Oracle9i Database Server..
 See <Note:185074.1>


 Doc ID: Note:185074.1
 Subject: ALERT: User Privileges Vulnerability in Oracle9i Database Server
 Type: ALERT
  Content Type: TEXT/PLAIN
 Creation Date: 18-APR-2002
 Last Revision Date: 25-APR-2002    

 Oracle Security Alert #33
 Dated: 17 April 2002  

 User Privileges Vulnerability in Oracle9i Database Server  



A potential security vulnerability has been discovered in Oracle9i database server. It is possible to create a user defined in the Oracle9i database server with limited privileges who can potentially access privileged data using SQL syntax for outer joins. As such, a knowledgeable and malicious user can gain unauthorized access to data in Oracle9i database server.  

None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) or Oracle7 database server release is affected by this vulnerability.  

Products affected


 Oracle9i Database, Release 9.0.1.x, only    

 Platforms affected





 There are no workarounds to protect against this potential vulnerability.    

 Patch Information


Oracle has fixed the potential vulnerability identified above in the upcoming Oracle Database server release, Oracle9i, Release 2. Patches with the base bug number, 2121935 are being made available only for supported releases of Oracle9i, Releases 9.0.1.x, database server on all supported platforms. For Windows NT and 2000, the patch is included in 2338791 for    

Download currently available patches for your platform from Oracle Support web site, iSupport, Activate the "Patches" button to get to the patches Web page. Enter the base bug fix number indicated above and activate the "Submit" button.  

Please check MetaLink or, Oracle Support Services periodically for patch availability if the patch for your platform is not yet available.  

Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch.  

Change Record

Windows NT and 2000 bug information was addded to the Patch Information section of this alert on 25-Apr-02.  .      


  Copyright (c) 1995,2000 Oracle Corporation. All Rights Reserved. Legal Notices and Terms of Use.

On 19 Jul 2002 at 10:58, Deshpande, Kirti wrote:

Date sent: Fri, 19 Jul 2002 10:58:26 -0800 <>
To: Multiple recipients of list ORACLE-L <ORACLE->

Send reply to:
Organization:   	Fat City Network Services, San Diego, 
> Is this still a problem in 9iR2? I do not have it installed yet :( 
> - Kirti 
> > -----Original Message-----
> > From: []
> > Sent:	Friday, July 19, 2002 12:05 PM
> > To:	Multiple recipients of list ORACLE-L
> > Subject:	Re: security bug - join syntax
> > 
> > Thanks Linda.
> > 
> > Usenet seems to be a little behind the curve though.
> > 
> > Jonathan Lewis discovered this and posted on the list
> > ( you saw it here first! ) over a month ago.
> > 
> > Jared
> > 
> > 
> > 
> > 
> > 
> >
> > Sent by:
> > 07/19/2002 09:23 AM
> > Please respond to ORACLE-L
> > 
> >  
> >         To:     Multiple recipients of list ORACLE-L
> > <>
> >         cc: 
> >         Subject:        Re: security bug - join syntax
> > 
> > 
> > 
> > This just in from
> > 
> > See metalink bug 2121935.

Please see the official ORACLE-L FAQ:
Author: Eric D. Pierce

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Jul 22 2002 - 05:38:20 CDT

Original text of this message