Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: hpuxrac <>
Date: Tue, 03 Jul 2007 16:49:52 -0700
Message-ID: <>

On Jul 3, 7:29 pm, Altus <> wrote:
> Quite a while ago, several Oracle security leaks were discussed. I
> have not gotten word that they have been fixed.
> Does anyone have an update on them?
> The below text was clipped from the web page and somewhat reformatted.
> Any distortions are my own.
> The ability to bypass security controls on tables using specially
> crafted views. Database accounts with CREATE VIEW privilege are be
> able to insert, update, or delete data in tables where the database
> account only has SELECT permission.
> Oracle mistakenly published on Metalink information on an un-patched
> security vulnerability in the Oracle Database. On April 6, 2006,
> Oracle Support published a Metalink Note:
> Note ID 363848.1
> A User with SELECT Object Privilege on Base
> Tables Can Delete Rows from a View
> containing detailed information on the bug and a working example.
> Oracle removed the Metalink Note after about 24 hours. On April 11,
> 2006, Alexander Kornbrust of Red Database Security released an
> advisory to a security mailing list on the nature of the
> vulnerability, however, did not provide exploit code or a working
> example. This security advisory received media attention and was
> widely distributed.
> This bug was NOT fixed in the July 2006 CPU. Oracle has not released
> any information as to when this bug will be fixed.
> Any database account with CREATE VIEW system privilege and at least
> SELECT access to the base table can create a specially crafted view
> that will allow update, insert, and delete access to the base table.
> Andrew Max has reported that this bug can be exploited without even
> using a view. This issue appears to affect all supported Oracle
> Database versions from to 10.2. We have verified this bug has
> not been fixed on after applying the July 2006 CPU.

There are a lot of people with various opinions about how well oracle has been addressing security vulnerabilities.

Oracle currently supports a whole bunch of different hardware platforms and a whole bunch of software release levels.

Any software vendor has to take additional tine and spend additional resource costs on security vulnerabilities. The more hardare platforms and software versions that the vulnerabilities have to be fixed on, the more expensive this type of effort can become.

As far as I know, for some of the reported vulnerabilities it took oracle years to produce a patch or fix on "some of the release levels" and platforms.

Is oracle making enough money currently to do a better job of delivering these fixes faster?

Are the patches when they are delivered stable, easy to apply, and reliable?

Are customers satisfied with the job that oracle is doing in this area?

Are existing vulnerabilities getting fixed before exploits become available?

Those are some of the relevant questions to me at least. Received on Tue Jul 03 2007 - 18:49:52 CDT

Original text of this message