Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle vulnerability

Re: Oracle vulnerability

From: Paul Drake <>
Date: Tue, 7 Feb 2006 12:25:14 -0500
Message-ID: <>

On 2/6/06, Nirmalya Das <> wrote:
> I have an Oracle 10g ( installation....
> How important is the following patch.....
> Does anyone already applied this patch....anything to watch out for?
> Oracle vulnerability:
> Oracle is advising its customers to quickly apply a critical database
> patch
> the company issued last week. Security experts warn the hole could allow
> even unsophisticated users to take control of Oracle databases.
> The patch, known as DB18, fixes a hole that affects most supported
> versions
> of the Oracle database software, including Oracle versions 8, 9 and 10.
> The
> hole is "very severe" and allows users to bypass the Oracle database's
> authentication and become administrative "super users," according to
> Shlomo
> Kramer, CEO of Imperva, which discovered the hole. However, Kramer and
> others say Oracle may be downplaying the seriousness of the threat out of
> concern that malicious hackers could be tipped off to the severity of the
> issue.
> Oracle Corp. said that it patches security holes in the order of their
> severity and categorized DB18 as a serious vulnerability with the
> potential
> for wide impact in the January Critical Patch Update [CPU], according to
> an
> e-mail statement.
> The security hole is part of the standard user authentication mechanism
> used
> by Oracle database clients, according to information published by Imperva.
> That authentication consists of two separate client requests and server
> responses.
> By manipulating a variable in one of those requests that is used to set
> the
> language and location of the client, ordinary users with "create session"
> privileges can run commands as SYS, the highest-level Oracle account,
> Imperva said.
> The patch process need be taken seriously and can be downloaded from the
> below site:
> Nirmalya
> --


Please refer to Metalink Note:343384.1.

At this point You might want to consider waiting for the patchset and its one-off patch for your OS. Windows32: Patch 1 (4882231) or later - ETA : 10-Feb-06

Make sure that you read the entire readme.html for the patchset/patch and use the most recent version of OPatch.

Patch 2617419 (24-JAN-2006 v1.

If you do elect to apply the patch for, you might want to consider applying Patch 10 - 4925998 Windows32: Patch 9 (4751259) or later

If you have additional questions - an Oracle Support Analyst might be your best bet.
Read the readme files.
Test in a test environment.




Received on Tue Feb 07 2006 - 11:25:14 CST

Original text of this message