Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: Altus <silverback_at_photobooks.com>
Date: Thu, 05 Jul 2007 12:11:23 -0700
Message-ID: <1183662683.361317.300070@g4g2000hsf.googlegroups.com>


On Jul 3, 9:57 pm, DA Morgan <damor..._at_psoug.org> wrote:
> Altus wrote:
> > Quite a while ago, several Oraclesecurityleaks were discussed. I
> > have not gotten word that they have been fixed.
>
> > Does anyone have an update on them?
>
> > The below text was clipped from the web page and somewhat reformatted.
> > Any distortions are my own.
>
> >http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle...
>
> > The ability to bypasssecuritycontrols on tables using specially
> > crafted views. Database accounts with CREATE VIEW privilege are be
> > able to insert, update, or delete data in tables where the database
> > account only has SELECT permission.
>
> > Oracle mistakenly published on Metalink information on an un-patched
> >securityvulnerability in the Oracle Database. On April 6, 2006,
> > Oracle Support published a Metalink Note:
>
> > Note ID 363848.1
> > A User with SELECT Object Privilege on Base
> > Tables Can Delete Rows from a View
>
> > containing detailed information on the bug and a working example.
> > Oracle removed the Metalink Note after about 24 hours. On April 11,
> > 2006, Alexander Kornbrust of Red DatabaseSecurityreleased an
> > advisory to asecuritymailing list on the nature of the
> > vulnerability, however, did not provide exploit code or a working
> > example. Thissecurityadvisory received media attention and was
> > widely distributed.
> > This bug was NOT fixed in the July 2006 CPU. Oracle has not released
> > any information as to when this bug will be fixed.
>
> > Any database account with CREATE VIEW system privilege and at least
> > SELECT access to the base table can create a specially crafted view
> > that will allow update, insert, and delete access to the base table.
> > Andrew Max has reported that this bug can be exploited without even
> > using a view. This issue appears to affect all supported Oracle
> > Database versions from 8.1.7.4 to 10.2. We have verified this bug has
> > not been fixed on 9.2.0.7 after applying the July 2006 CPU.
>
> Since Mary Ann Davidson took oversecurityat Oracle there have been a
> large number ofsecurityleaks fixed. Between 9i and 10gR2 we saw the
> elimination of a large number of SQL Injection vulnerabilities and the
> introduction of the DBMS_ASSERT package the use of which has become even
> more ubiquitous with 11g.
>
> If you have specific questions I'd suggest putting them to Pete Finnigan.http://www.petefinnigan.com
> --
> Daniel A. Morgan
> University of Washington
> damor..._at_x.washington.edu (replace x with u to respond)
> Puget Sound Oracle Users Groupwww.psoug.org- Hide quoted text -
>
> - Show quoted text -

Thank you all.

I have sent Pete a note. I hope he gives me good news. ::)> Received on Thu Jul 05 2007 - 14:11:23 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US