Alex has added three more advisories to his web site for bugs that have also been fixed in 10g Release 1. It seems that some of these bugs are not included in Oracles advisory for CPU January 2006. Another good point worth noting is that these advisories are not just for single bugs. This is quite normal in a fix listed on Oracles advisory and fixed in a CPU. One package may be listed with one bug reference but in fact there may have been multiple vulnerabilities fixed and not listed. So whilst it seems some 80 or so bugs are fixed in CPU january 2006 in fact many more could have been fixed. We simply do not know unless the reporters of the bugs reveal it to us as Alex has done in this case via his website. The bugs are:
"SQL Injection in package SYS.KUPV$FT_INT" - This advisory lists 16 SQL Injection bugs in 13 functions or procedures contained in this package. Alex has detailed each function or procedure and listed which function or procedure parameters are vulnerable to SQL Injection. He also informs us in his advisory that Oracle have fixed the bugs by now using bind variables instead (I assume) of using concatenated strings in SQL statements.
"SQL Injection in package SYS.KUPV$FT" - This advisory lists 3 SQL Injection bugs in three different functions and procedures in this package. Again the actual function or procedure parameters that are vulnerable to SQL Injection are identified. This time Alex tells us that Oracle has fixed these bugs by using the new package DBMS_ASSERT.
"SQL Injection in package SYS.DBMS_METADATA_UTIL" - In this advisory 4 SQL injection bugs are fixed in 4 different functions or procedures. Again the parameters that are vulnerable to SQL Injection are identified and again these bugs have been fixed by using the new package DBMS_ASSERT.
There is a lot of information in these three new advisories that cover a further 23 SQL injection bugs. In fact it could be argued that the number of bugs is in fact higher as for instance in the last advisory listed 2 parameters are vulnerable in each function. Whilst Alex has stopped short of giving out exploit code there is enough information here to simply write exploits for non patched databases.
Again I urge everyone to patch as soon as possible, if you don'y you are vulnerable to a hige amount of bugs that are now public.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Steven Feuerstein has started a weblog"] [Next entry: "The CPU Jan 2006 patch for HP/UX Application Server is empty"]
January 2006
- Niall has a good post - DBA as User - 01/05/2006 by 01/05/2006
- up front security - 01/06/2006 by 01/06/2006
- A tiny digital camera - 01/07/2006 by 01/07/2006
- Oracle 'Worm' Exploit Gets Ominous Tweak - 01/08/2006 by 01/08/2006
- Justin talks about a new series of papers on Oracle security by Arup - 01/09/2006 by 01/09/2006
- Howard has some good advice on protecting against worms - 01/10/2006 by 01/10/2006
- Doug has posted an intersting note about executing of SQL script from URL's - 01/12/2006 by 01/12/2006
- Oracle is finally listening to customers about fix times and security patch quality - 01/14/2006 by 01/14/2006
- Interview with Oracle's security chief - 01/16/2006 by 01/16/2006
- Red Database Security has released 5 Oracle security bug advisories - 01/17/2006 by 01/17/2006
- Alex has added advisories for 23 security bugs fixed in 10g Release1 - 01/19/2006 by 01/19/2006
- Alex has produced a detailed analysis of the Jan 2006 CPU - 01/22/2006 by 01/22/2006
- Duncan Harris speaks on Oracle Security - 01/24/2006 by 01/24/2006
- Oracle is advising customers to patch the last CPU very quickly - 01/25/2006 by 01/25/2006
- An argument rages in the ePress between Oracle and Litchfield - 01/27/2006 by 01/27/2006
- Gartner: Oracle no longer a bastion of security - 01/30/2006 by 01/30/2006
- How to connect to the database using Perl - with two way communication - 01/31/2006 by 01/31/2006
Archives
Syndication
Powered by gm-rss 2.0.0
