Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "David Litchfield has released an advisory for the recent CPU 12 April vulnerabilities"] [Next entry: "Paying a ransom to read your data"]

Is it possible to check whether Oracles CPU update emails are *real*?

I was emailed by Wilfred van der Deijl this morning who asked me an interesting question. He said:

"Just read the notes on your weblog (via orablogs) about the CPU emails. Does Oracle also state if and how you can verify the validity of such emails. I get tons of these emails claiming to be from Microsoft asking me to install or delete something. These are known viruses/hoaxes. How can I make sure that this is not the case with such emails from "Oracle"?"

This is an interesting question. First off I didn't get the emails, Alex did and let me know. The first check is the email headers which show that the email was indeed sourced from Oracle's domain. If it were a phishing attempt the email would be sourced from another domain. I know that these can be forged but there are no other signs of phishing in these emails unlike the emails Wilfred mentions. There are no links to click on asking for username, password info, or asking you to download or install anything. Therefore a mail like this if it were not genuine would not serve much purpose.

The emails do contain instructions though so it could be possible fakes could be made in a similar manner. A hacker could create an email like these and make it look like they were from Oracle and instruct the receiver to make configuration changes or install something. It could therefore be possible for a hacker to send an email to a company that uses Oracle and instruct them to run some devious code (but not obvious code) such as grant all permission to java via a special package:

SQL> exec sys.dbms_java.loadjava('-v -f -r -s -g public rdbms/jlib/CDC.jar');

Thanks to Alex for this example!

In the case of these two emails sent yesterday, I am 99.99999% sure they are real; there are a number of reasons why. First the domain used, second it is possible to run the necessary exploits to check if the emails are true, that is the bugs supposedly fixed are not fixed. Thirdly David Litchfield issued an advisory in this case. In the case of these emails Oracle only issued them to customers that had downloaded the patches. This method means fewer people know about the issues so there is potentially less chance of a lot of bad publicity. I think Oracle should announce these issues on OTN as a new security advisory so that everyone who uses Oracle's products would be made aware. Also the Metalink site should be used.

What could Oracle do better in the future for issues like this? - This is Alex's ideas:

1. Publish ALL security related information on Oracle's website.
2. Sign emails (I believe this is too complicated)
3. Emails should never contain work instructions.

Thanks to Wilfred for the question, it is always worth being vigilant when security is concerned but in this case they are definitely real and everyone who has installed CPU 12 April should follow these instructions.