Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole
"Howard J. Rogers" <dba_at_hjrdba.com> wrote in message news:<a9oru7$hej$1_at_lust.ihug.co.nz>...
> What I'd like to know is: is this now a customer alert?
>
> I have no doubt that the problem was simply one of not realising the import
> of the matter.
>
> I didn't realise it myself. The *very* original post mentioned being able to
> select from any table. Jonathan happened to mention that a view on a select
> of any table meant DML was possible. I happened to wonder whether a view on
> a data dictionary table would allow you to wreck the database. If you
> weren't primed to follow that chain of reasoning, you wouldn't have thought
> too badly of a bug here and there, which all products have.
>
> The lack of a patch for NT is unfortunate, to say the least. But otherwise,
> the speed of response has been good.
>
> But if no-one knows about it, it's no use. I'd like to see an alert... at
> least that way, it's your own fault if you get bitten.
>
> Regards
> HJR
Update: Oracle has now emailed an alert from Metalink (the first that
I've seen) about this problem. Here is the text of the message
(without Metalink access it contains no confidential info...)
ORACLE METALINK NEWS & NOTES Oracle Security Product Management has released new security alerts today.
Please note that you must log into MetaLink at http://metalink.oracle.com to review these documents. Use MetaLin's' advanced search option to retrieve the documents by identification number.
ALERT NUMBER 1: UNAUTHORIZED ACCESS VULNERABILITY IN THE ORACLE
E-BUSINESS SUITE.
Document Identification Number 185073.1
ALERT NUMBER 2: USER PRIVILEGES VULNERABILITY IN ORACLE9i DATABASE
SERVER
Document Identification Number 185074.1
Thank you for using MetaLink.
Oracle Support Services
Hope this helps. Received on Fri Apr 19 2002 - 10:41:38 CDT