Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Oracle Security Leaks-Are they fixed yet???

Oracle Security Leaks-Are they fixed yet???

From: Altus <>
Date: Tue, 03 Jul 2007 16:29:14 -0700
Message-ID: <>

Quite a while ago, several Oracle security leaks were discussed. I have not gotten word that they have been fixed.

Does anyone have an update on them?

The below text was clipped from the web page and somewhat reformatted. Any distortions are my own.

The ability to bypass security controls on tables using specially crafted views. Database accounts with CREATE VIEW privilege are be able to insert, update, or delete data in tables where the database account only has SELECT permission.

Oracle mistakenly published on Metalink information on an un-patched security vulnerability in the Oracle Database. On April 6, 2006, Oracle Support published a Metalink Note:

           Note ID 363848.1
           A User with SELECT Object Privilege on Base
           Tables Can Delete Rows from a View

containing detailed information on the bug and a working example. Oracle removed the Metalink Note after about 24 hours. On April 11, 2006, Alexander Kornbrust of Red Database Security released an advisory to a security mailing list on the nature of the vulnerability, however, did not provide exploit code or a working example. This security advisory received media attention and was widely distributed.
This bug was NOT fixed in the July 2006 CPU. Oracle has not released any information as to when this bug will be fixed.

Any database account with CREATE VIEW system privilege and at least SELECT access to the base table can create a specially crafted view that will allow update, insert, and delete access to the base table. Andrew Max has reported that this bug can be exploited without even using a view. This issue appears to affect all supported Oracle Database versions from to 10.2. We have verified this bug has not been fixed on after applying the July 2006 CPU. Received on Tue Jul 03 2007 - 18:29:14 CDT

Original text of this message