Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: hpuxrac <johnbhurley_at_sbcglobal.net>
Date: Tue, 03 Jul 2007 16:49:52 -0700
Message-ID: <1183506592.329754.203130@k79g2000hse.googlegroups.com> 





On Jul 3, 7:29 pm, Altus <silverb..._at_photobooks.com> wrote:


> Quite a while ago, several Oracle security leaks were discussed. I

> have not gotten word that they have been fixed.

>

> Does anyone have an update on them?

>

> The below text was clipped from the web page and somewhat reformatted.

> Any distortions are my own.

>

> http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle...

>

> The ability to bypass security controls on tables using specially

> crafted views. Database accounts with CREATE VIEW privilege are be

> able to insert, update, or delete data in tables where the database

> account only has SELECT permission.

>

> Oracle mistakenly published on Metalink information on an un-patched

> security vulnerability in the Oracle Database. On April 6, 2006,

> Oracle Support published a Metalink Note:

>

>            Note ID 363848.1

>            A User with SELECT Object Privilege on Base

>            Tables Can Delete Rows from a View

>

> containing detailed information on the bug and a working example.

> Oracle removed the Metalink Note after about 24 hours. On April 11,

> 2006, Alexander Kornbrust of Red Database Security released an

> advisory to a security mailing list on the nature of the

> vulnerability, however, did not provide exploit code or a working

> example. This security advisory received media attention and was

> widely distributed.

> This bug was NOT fixed in the July 2006 CPU. Oracle has not released

> any information as to when this bug will be fixed.

>

> Any database account with CREATE VIEW system privilege and at least

> SELECT access to the base table can create a specially crafted view

> that will allow update, insert, and delete access to the base table.

> Andrew Max has reported that this bug can be exploited without even

> using a view. This issue appears to affect all supported Oracle

> Database versions from 8.1.7.4 to 10.2. We have verified this bug has

> not been fixed on 9.2.0.7 after applying the July 2006 CPU.




There are a lot of people with various opinions about how well oracle
has been addressing security vulnerabilities.



Oracle currently supports a whole bunch of different hardware
platforms and a whole bunch of software release levels.



Any software vendor has to take additional tine and spend additional
resource costs on security vulnerabilities.  The more hardare
platforms and software versions that the vulnerabilities have to be
fixed on, the more expensive this type of effort can become.



As far as I know, for some of the reported vulnerabilities it took
oracle years to produce a patch or fix on "some of the release levels"
and platforms.



Is oracle making enough money currently to do a better job of
delivering these fixes faster?



Are the patches when they are delivered stable, easy to apply, and
reliable?



Are customers satisfied with the job that oracle is doing in this
area?



Are existing vulnerabilities getting fixed before exploits become
available?



Those are some of the relevant questions to me at least.
Received on Tue Jul 03 2007 - 18:49:52 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US