Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: hpuxrac <>
Date: Thu, 05 Jul 2007 17:15:10 -0700
Message-ID: <>

On Jul 3, 7:29 pm, Altus <> wrote:
> Quite a while ago, several Oracle security leaks were discussed. I
> have not gotten word that they have been fixed.
> Does anyone have an update on them?
> The below text was clipped from the web page and somewhat reformatted.
> Any distortions are my own.
> The ability to bypass security controls on tables using specially
> crafted views. Database accounts with CREATE VIEW privilege are be
> able to insert, update, or delete data in tables where the database
> account only has SELECT permission.
> Oracle mistakenly published on Metalink information on an un-patched
> security vulnerability in the Oracle Database. On April 6, 2006,
> Oracle Support published a Metalink Note:
> Note ID 363848.1
> A User with SELECT Object Privilege on Base
> Tables Can Delete Rows from a View
> containing detailed information on the bug and a working example.
> Oracle removed the Metalink Note after about 24 hours. On April 11,
> 2006, Alexander Kornbrust of Red Database Security released an
> advisory to a security mailing list on the nature of the
> vulnerability, however, did not provide exploit code or a working
> example. This security advisory received media attention and was
> widely distributed.
> This bug was NOT fixed in the July 2006 CPU. Oracle has not released
> any information as to when this bug will be fixed.
> Any database account with CREATE VIEW system privilege and at least
> SELECT access to the base table can create a specially crafted view
> that will allow update, insert, and delete access to the base table.
> Andrew Max has reported that this bug can be exploited without even
> using a view. This issue appears to affect all supported Oracle
> Database versions from to 10.2. We have verified this bug has
> not been fixed on after applying the July 2006 CPU.

With as specific a focus as you have in your question, have you submitted this as a service request to oracle?

Is there a bug id we can check?

Has someone submitted a reproducible test case?

Sorry I should have asked you those questions the first time. Received on Thu Jul 05 2007 - 19:15:10 CDT

Original text of this message