Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: DA Morgan <>
Date: Tue, 03 Jul 2007 18:57:07 -0700
Message-ID: <>

Altus wrote:
> Quite a while ago, several Oracle security leaks were discussed. I
> have not gotten word that they have been fixed.
> Does anyone have an update on them?
> The below text was clipped from the web page and somewhat reformatted.
> Any distortions are my own.
> The ability to bypass security controls on tables using specially
> crafted views. Database accounts with CREATE VIEW privilege are be
> able to insert, update, or delete data in tables where the database
> account only has SELECT permission.
> Oracle mistakenly published on Metalink information on an un-patched
> security vulnerability in the Oracle Database. On April 6, 2006,
> Oracle Support published a Metalink Note:
> Note ID 363848.1
> A User with SELECT Object Privilege on Base
> Tables Can Delete Rows from a View
> containing detailed information on the bug and a working example.
> Oracle removed the Metalink Note after about 24 hours. On April 11,
> 2006, Alexander Kornbrust of Red Database Security released an
> advisory to a security mailing list on the nature of the
> vulnerability, however, did not provide exploit code or a working
> example. This security advisory received media attention and was
> widely distributed.
> This bug was NOT fixed in the July 2006 CPU. Oracle has not released
> any information as to when this bug will be fixed.
> Any database account with CREATE VIEW system privilege and at least
> SELECT access to the base table can create a specially crafted view
> that will allow update, insert, and delete access to the base table.
> Andrew Max has reported that this bug can be exploited without even
> using a view. This issue appears to affect all supported Oracle
> Database versions from to 10.2. We have verified this bug has
> not been fixed on after applying the July 2006 CPU.

Since Mary Ann Davidson took over security at Oracle there have been a large number of security leaks fixed. Between 9i and 10gR2 we saw the elimination of a large number of SQL Injection vulnerabilities and the introduction of the DBMS_ASSERT package the use of which has become even more ubiquitous with 11g.

If you have specific questions I'd suggest putting them to Pete Finnigan.

Daniel A. Morgan
University of Washington (replace x with u to respond)
Puget Sound Oracle Users Group
Received on Tue Jul 03 2007 - 20:57:07 CDT

Original text of this message