|
__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle9i User Privileges Vulnerability [Oracle Security Alert #33] April 23, 2002 22:00 GMT Number M-071 ______________________________________________________________________________ PROBLEM: A potential security vulnerability has been discovered in Oracle9i database server. It is possible to create a user defined in the Oracle9i database server with limited privileges who can potentially access privileged data using SQL syntax for outer joins. PLATFORM: All platforms using Oracle9i Database, Release 9.0.1.x. DAMAGE: A knowledgeable and malicious user may gain unauthorized access to data in Oracle9i database server. SOLUTION: Apply the patch supplied by vendor. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A user account defined in the Oracle9i ASSESSMENT: database is required to exploit this vulnerability. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-071.shtml ORIGINAL BULLETIN: http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf ______________________________________________________________________________ [***** Start Oracle Security Alert #33 *****] Oracle Security Alert #33 Dated: 17 April 2002 User Privileges Vulnerability in Oracle9i Database Server Description A potential security vulnerability has been discovered in Oracle9i database server. It is possible to create a user defined in the Oracle9i database server with limited privileges who can potentially access privileged data using SQL syntax for outer joins. As such, a knowledgeable and malicious user can gain unauthorized access to data in Oracle9i database server. None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) or Oracle7 database server release is affected by this vulnerability. Products affected Oracle9i Database, Release 9.0.1.x, only Platforms affected All Workarounds There are no workarounds to protect against this potential vulnerability. Patch Information Oracle has fixed the potential vulnerability identified above in the upcoming Oracle Database server release, Oracle9i, Release 2. Patches with the base bug fix number, 2121935, are being made available only for supported releases of Oracle9i, Releases 9.0.1.x, database server on all supported platforms. Download currently available patches for your platform from Oracle’ s Worldwide Support web site, Metalink, http://metalink.oracle.com. Activate the "Patches" button to get to the patches Web page. Enter the base bug fix number indicated above and activate the "Submit" button. Please check with Metalink or Oracle Worldwide Support Services periodically for patch availability if the patch for your platform is not yet available. IMPORTANT NOTE: If any view in the Oracle9i database server was created before application of your patch, re-compile all views including string 'JOIN' (as user SYS) immediately after application of your patch. Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. [***** End Oracle Security Alert #33 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code M-064: Cisco web interface vulnerabilities in ACS for Windows M-065: Red Hat Race Conditions in "logwatch" M-066: Microsoft Cumulative Patch for Internet Information Services (IIS) Vulnerabilities M-067: SGI Mail, mailx, sort, timed, and gzip Vulnerabilities M-068: Microsoft IE and Office for Macintosh Vulnerabilities M-069: Microsoft SQL Server Unchecked Buffer Vulnerabilities CIACTech02-003: Protecting Office for Mac X Antipiracy Server Ports M-070: Apache HTTP Server on Win32 Vulnerability