Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "David Litchfield has released a workaround for an unpatched Oracle security bug"] [Next entry: "Alex has produced a document detailing the changes made by CPU Jan 2006"]

Oracle is advising customers to patch the last CPU very quickly

Oracle Advises Users: Patch Critical HoleŚNow! - By Paul F. Roberts

"Oracle is advising its customers to quickly apply a critical database patch the company issued last week. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.

The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10. The hole is "very severe" and allows users to bypass the Oracle database's authentication and become administrative "super users," according to Shlomo Kramer, CEO of Imperva, which discovered the hole. However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue."

This is a discussion of the recent CPU January 2006 and in particular the DB18 bug. This is the one discovered by Imperva whereby arbitary SQL can be sent to the server and executed as SYS. This means any authenticated user can escalate to a DBA.

This bug is easy to exploit. I have an example exploit that I created easilly.