Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Patched Oracle database 'still vulnerable'"] [Next entry: "Researcher: Oracle Needs To Patch 44 More Bugs"]

Patched Oracle database 'still vulnerable'

Patched Oracle database 'still vulnerable' - Dawn Kawamoto

"The latest update for Oracle 10g Release 2 does not plug a hole that allows published attack code to run, according to a security researcher

Oracle's latest update fails to tackle a database flaw that has already been exploited, a security researcher has warned."

This report seems to suggests that simply revoking public execute privileges from the vulnerable package will suffice until a patch is available. This will not suffice if the package is avaialble via any other route. This could be because another user or role has execute privileges granted on the package or even if there are no execute privileges granted against the package it can still be vulnerable if it is called from another peice of PL/SQL from the same schema and the arguments are passed into the vulnerable package from the caller.

If access to another user who has the ability to grant the execute privileges back again could also prove to be an issue. If the dictionary accessibility parameter is incorrectly set a user with the EXECUTE ANY PROCEDURE privilege could also execute the package. If access to certain other SYS owned packages are available that allow code to be run as SYS then the exploit could also be used again.

The possibilities are very numerous for exploiting the issue and simply revoking PUBLIC execute privileges is often not enough to protect against vulnerabilities.

The only safe solution is to lobby Oracle to supply a fix.