Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Another critical patch update news article - In German"] [Next entry: "Alexander Korbrusts upcoming Oracle security bugs"]

Alexander Kornbrust has an advisory for CPU - January 2005

My good friend Alex Kornbrust has added an advisory for Critical Patch Update (CPU) - January 2005 to his website. The advisory is titled "Buffer Overflow in Create Database Link in Oracle8i - 9i" and details a bug Alex found in April 2003. Alex has found that any user with the ability to create a DATABASE LINK can crash the database. The workaround Alex suggests is to revoke the CREATE DATABASE LINK system privilege from the CONNECT role.

I would suggest a better solution is to revoke the CONNECT ROLE from all users that have been granted it and to then create a more realistic connect role for general users and grant that instead. You can find which users have CREATE DATABASE LINK system privileges with my script who_has_priv.sql and you can also find out who has been granted the CONNECT ROLE with my script who_has_role.sql.

More about Alex's site later.