Call: +44 (0)1904 557620 Call
cpu Limited Oracle Security Advisory - October 2008 Critical Patch Update


Oracle Appication Express (APEX) is a rapid development tool for developing web based ineterfaces and applications that run against an Oracle database. APEX is operated from a web browser and allows people with limited programming experience to develop professional applications. The issue located by Limited relates to excessive privileges assigned to the FLOWS database schema/user account.


If the APEX schemas exist then the risk is still present without application of the patch. The risk increases if the schema is accessible due to a weak password or an additional attack vectors that allows code to run as the APEX FLOWS account. Access to the schema, either directly or indirectly are required to expliot this issue. Note that normally the password for this account in a default installation is random and complex.


If the Oracle APEX functionallity is not required either directly or indirectly then ensure that this component is not installed. This can be verified by running the following SQL statements:

Personal Oracle Database 11g Release - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select comp_id,comp_name,version,status
  2  from dba_registry
  3  where comp_id='APEX';


VERSION                        STATUS
------------------------------ -----------
Oracle Application Express                    VALID

SQL> select username from dba_users
  2  where username like 'FLOW%';



Note that default installations of 11gR1 include the APEX functionallity if a sample database is chosen or a seed database is used. This is installed whether you intend to create APEX applications or not.

If APEX is not required then remove it completely from the database. This can be done with the following commands on APEX 3.1

 SQL> drop user FLOWS_030100 cascade;
 SQL> drop user FLOWS_FILES cascade;
 SQL> @apxremov.sql

For older versions of APEX see How do i remove APEX.

Versions affected

The following Oracle database versions are affected


  • and lower
  • and lower
  • and lower

Patch Information Limited advises customers to apply the October 2008 CPU patch as soon as is practical. See - (broken link) Oracle's advisory for details of the patch availability matrix.


Pete Finnigan of Limited discovered this vulnerability.

About Limited Limited specialises in providing Oracle database security consultancy services, database security training and products related to all aspects of Oracle security from design, breach analysis, hardening, security audits, IT healthchecks, encryption, specialised training, products and more.

We are market leaders in providing security services to customers who need to secure data held in Oracle databases. For more details please contact in the first instance.