Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: DA Morgan <damorgan_at_psoug.org>
Date: Tue, 03 Jul 2007 18:57:07 -0700
Message-ID: <1183514226.250637@bubbleator.drizzle.com> 





Altus wrote:


> Quite a while ago, several Oracle security leaks were discussed. I

> have not gotten word that they have been fixed.

> 

> Does anyone have an update on them?

> 

> The below text was clipped from the web page and somewhat reformatted.

> Any distortions are my own.

> 

> http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_Unpatched_Bugs_July_2006.pdf

> 

> The ability to bypass security controls on tables using specially

> crafted views. Database accounts with CREATE VIEW privilege are be

> able to insert, update, or delete data in tables where the database

> account only has SELECT permission.

> 

> Oracle mistakenly published on Metalink information on an un-patched

> security vulnerability in the Oracle Database. On April 6, 2006,

> Oracle Support published a Metalink Note:

> 

>            Note ID 363848.1

>            A User with SELECT Object Privilege on Base

>            Tables Can Delete Rows from a View

> 

> containing detailed information on the bug and a working example.

> Oracle removed the Metalink Note after about 24 hours. On April 11,

> 2006, Alexander Kornbrust of Red Database Security released an

> advisory to a security mailing list on the nature of the

> vulnerability, however, did not provide exploit code or a working

> example. This security advisory received media attention and was

> widely distributed.

> This bug was NOT fixed in the July 2006 CPU. Oracle has not released

> any information as to when this bug will be fixed.

> 

> Any database account with CREATE VIEW system privilege and at least

> SELECT access to the base table can create a specially crafted view

> that will allow update, insert, and delete access to the base table.

> Andrew Max has reported that this bug can be exploited without even

> using a view. This issue appears to affect all supported Oracle

> Database versions from 8.1.7.4 to 10.2. We have verified this bug has

> not been fixed on 9.2.0.7 after applying the July 2006 CPU.




Since Mary Ann Davidson took over security at Oracle there have been a
large number of security leaks fixed. Between 9i and 10gR2 we saw the
elimination of a large number of SQL Injection vulnerabilities and the
introduction of the DBMS_ASSERT package the use of which has become even
more ubiquitous with 11g.



If you have specific questions I'd suggest putting them to Pete Finnigan.
http://www.petefinnigan.com

-- 
Daniel A. Morgan
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org


Received on Tue Jul 03 2007 - 20:57:07 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US