Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Many ways to become DBA"] [Next entry: "Oracle XE will get upgrades with security fixes rather than patches"]

More than 275 new security bugs found last week in the Oracle 10g database

I saw a news item on EWeek today in an article written by Paul F. Roberts titled "New Security Risks Hit Oracle" that talks about the recent Oracle worm and how it does not use any security bugs but exploits configuration insecurities. The key information in this post is the announcement that last week Alex Kornbrust reported more than 250 SQL Injection bugs in standard packages shipped in the Oracle 10g Release 1 database. A quote from the article says:

"said he passed details to Oracle last week on more than 250 SQL injection vulnerabilities in the company's 10g Release 1 database server. Kornbrust said he found the SQL injection holes in just 6 hours using automated vulnerability scanning tools to analyze about 9,000 software packages and functions that are part of 10g Release 1."

Alex also developed exploit code for some of the bugs that can be used to escalate privileges. He said up to 30% of the bugs can be used to escalate privileges.

Separately on Alex's "Upcoming Oracle Security Alerts" he shows that he has reported 25 vulnerabilities in the October 18 2005 Critical Patch update.

This totals more than 275 new bugs in the Oracle database products, almost exclusively in built-in PL/SQL packages that in most cases have PUBLIC execute privileges.