Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Steven Feuerstein has started a weblog"] [Next entry: "The CPU Jan 2006 patch for HP/UX Application Server is empty"]

Alex has added advisories for 23 security bugs fixed in 10g Release1

Alex has added three more advisories to his web site for bugs that have also been fixed in 10g Release 1. It seems that some of these bugs are not included in Oracles advisory for CPU January 2006. Another good point worth noting is that these advisories are not just for single bugs. This is quite normal in a fix listed on Oracles advisory and fixed in a CPU. One package may be listed with one bug reference but in fact there may have been multiple vulnerabilities fixed and not listed. So whilst it seems some 80 or so bugs are fixed in CPU january 2006 in fact many more could have been fixed. We simply do not know unless the reporters of the bugs reveal it to us as Alex has done in this case via his website. The bugs are:

"SQL Injection in package SYS.KUPV$FT_INT" - This advisory lists 16 SQL Injection bugs in 13 functions or procedures contained in this package. Alex has detailed each function or procedure and listed which function or procedure parameters are vulnerable to SQL Injection. He also informs us in his advisory that Oracle have fixed the bugs by now using bind variables instead (I assume) of using concatenated strings in SQL statements.

"SQL Injection in package SYS.KUPV$FT" - This advisory lists 3 SQL Injection bugs in three different functions and procedures in this package. Again the actual function or procedure parameters that are vulnerable to SQL Injection are identified. This time Alex tells us that Oracle has fixed these bugs by using the new package DBMS_ASSERT.

"SQL Injection in package SYS.DBMS_METADATA_UTIL" - In this advisory 4 SQL injection bugs are fixed in 4 different functions or procedures. Again the parameters that are vulnerable to SQL Injection are identified and again these bugs have been fixed by using the new package DBMS_ASSERT.

There is a lot of information in these three new advisories that cover a further 23 SQL injection bugs. In fact it could be argued that the number of bugs is in fact higher as for instance in the last advisory listed 2 parameters are vulnerable in each function. Whilst Alex has stopped short of giving out exploit code there is enough information here to simply write exploits for non patched databases.

Again I urge everyone to patch as soon as possible, if you don'y you are vulnerable to a hige amount of bugs that are now public.