Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Security Leaks-Are they fixed yet???

Re: Oracle Security Leaks-Are they fixed yet???

From: hpuxrac <johnbhurley_at_sbcglobal.net>
Date: Thu, 05 Jul 2007 17:15:10 -0700
Message-ID: <1183680910.331274.271410@n2g2000hse.googlegroups.com> 





On Jul 3, 7:29 pm, Altus <silverb..._at_photobooks.com> wrote:


> Quite a while ago, several Oracle security leaks were discussed. I

> have not gotten word that they have been fixed.

>

> Does anyone have an update on them?

>

> The below text was clipped from the web page and somewhat reformatted.

> Any distortions are my own.

>

> http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle...

>

> The ability to bypass security controls on tables using specially

> crafted views. Database accounts with CREATE VIEW privilege are be

> able to insert, update, or delete data in tables where the database

> account only has SELECT permission.

>

> Oracle mistakenly published on Metalink information on an un-patched

> security vulnerability in the Oracle Database. On April 6, 2006,

> Oracle Support published a Metalink Note:

>

>            Note ID 363848.1

>            A User with SELECT Object Privilege on Base

>            Tables Can Delete Rows from a View

>

> containing detailed information on the bug and a working example.

> Oracle removed the Metalink Note after about 24 hours. On April 11,

> 2006, Alexander Kornbrust of Red Database Security released an

> advisory to a security mailing list on the nature of the

> vulnerability, however, did not provide exploit code or a working

> example. This security advisory received media attention and was

> widely distributed.

> This bug was NOT fixed in the July 2006 CPU. Oracle has not released

> any information as to when this bug will be fixed.

>

> Any database account with CREATE VIEW system privilege and at least

> SELECT access to the base table can create a specially crafted view

> that will allow update, insert, and delete access to the base table.

> Andrew Max has reported that this bug can be exploited without even

> using a view. This issue appears to affect all supported Oracle

> Database versions from 8.1.7.4 to 10.2. We have verified this bug has

> not been fixed on 9.2.0.7 after applying the July 2006 CPU.




With as specific a focus as you have in your question, have you
submitted this as a service request to oracle?



Is there a bug id we can check?



Has someone submitted a reproducible test case?



Sorry I should have asked you those questions the first time.
Received on Thu Jul 05 2007 - 19:15:10 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US