By Paul F. Roberts
November 9, 2005
A noted computer security expert who has clashed with Oracle Corp. in
the past is warning customers that a cumulative security patch from
the company may overlook a critical hole that could leave Oracle
databases open to remote attack.
David Litchfield of NGSS (Next Generation Security Software Ltd.)
posted a warning on the Bugtraq security discussion list Tuesday
claiming that Oracle's October CPU (Critical Patch Update) failed to
install software components on some Oracle systems.
The omission could cause Oracle administrators to believe that their
systems are patched, when they are in fact vulnerable to attacks, he
This is the second such charge Litchfield has leveled against Oracle
in recent months, the result of what Litchfield claims are lax patch
creation and testing procedures at the Redwood Shores, California
Oracle did not respond to requests for comment in time for the
article. However, company Chief Security Officer Maryann Davidson has
been critical of researchers like Litchfield in the past, accusing
them of being indiscreet and a "problem" for software vendors.
NGSS researchers discovered a number of problems with Oracle's October
CPU, a collection of 23 patches for 85 security vulnerabilities in
Oracle's database, server and enterprise application software.
Litchfield warned of those problems on Oct. 19  in another Bugtraq
posting, and reported them to Oracle.
The new warning stems from an analysis of Oracle's attempts to patch a
vulnerability for a component called Oracle Text (CTXSYS) on Oracle
184.108.40.206 databases, an older version of the company's database product.
A problem with the script that installs the patch prevents updated
PL/SQL software packages that fix the vulnerability from being copied
to the system running Oracle, Litchfield wrote on Bugtraq. PL/SQL is
an extension of SQL for use on Oracle databases.
"Even if you have Oracle Text installed, the patch installer will not
install the update PL/SQL packages," he wrote.
Database administrators who run Oracle Text and have applied the
October CPU patch could still be vulnerable to attackers, who could
use the hole to elevate low-level database accounts to DBA=97or
high-level administrator=97accounts, Litchfield said.
If the vulnerable database is part of a Web application that is
exposed to the Internet via a Web portal, or another avenue, a remote
attacker could exploit the Oracle Text hole without needing a database
user name or password, Litchfield said.
NGSS recommends manually running the script, ctxcpu.sql, which applies
Litchfield has become something of a gadfly for Oracle, calling
attention to the company's backlog of unpatched holes and accusing the
company of releasing sloppy patches that don't adequately address
security holes that are reported in its products, or that fail to
Despite his criticisms, Litchfield said recently that Oracle has made
efforts to improve its security operation in recent months. The most
recent CPU was a vast improvement over the previous quarter's patches,
with the company increasing the quality of its patches, and patching
more holes than those reported by independent researchers.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.