Re: Oracle security vulnerability, nuisance, or paranoia?

casey.kirkpatrick_at_gmail.com wrote:

> We have an application with a staging table with a simple rule:
> external systems may only insert onto and select from the table, but
> may not update or delete records. We recently noticed that one of our
> internal processes, which processes and updates values in the staging
> table, was encountering some lock contention issues. We ultimately
> determined that the contention problem was with some external systems
> which had coded a cursor with a FOR UPDATE clause (however, it was only
> being used to view the data). The FOR UPDATE clause was a historic
> remnant from a time when the systems *could* update the table. Now,
> the cursor is simply being used to view the table data, but it still
> has the *FOR UPDATE* code. The problem: our table (and our ability to
> process its records) is at the mercy of these external systems, which
> can freely lock and unlock the rows w/out UPDATE access.
>
> My question: isn't this a bit of a security flaw that a user who does
> *not* have UPDATE access to a table, and should *ONLY* be able to
> SELECT from the table, can still open a *FOR UPDATE* cursor against
> that table, and thus obtain exclusive locks on the table's rows?
>
> Should this be reported to Metalink, or am I being overly paranoid
> about this being an DOS vulnerability?
>
> Oh, by the way, I am seeing this in Oracle 8.1.7 - does anyone know if
> this exists for 9i and beyond?

Does it compromise security? How?

The bad design is owned by your organization: You'll need to fix it!

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu
(replace 'x' with 'u' to respond)


----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= East/West-Coast Server Farms - Total Privacy via Encryption =---