Oracle Ultra-Search uses database and Oracle text functionallity to provide a uniform search function that is fully integrated with the
SQL language and where it allows full text search capabilities within the database. For more details see Introduction to Oracle Ultra Search. The issue located by PeteFinnigan.com Limited relates to excessive privileges assigned to the WKSYS database schema/user account.
If the WKSYS schema exists then the risk is still present without application of the patch. The CVSS score is 3.0 which is low but the risk increases if the schema is accessible due to a weak password or an additional
attack vector that allows code to run as WKSYS. Access to the schema, either directly or indirectly are required to expliot this issue.
If the Oracle Ultra-Search functionallity is not required either directly or indirectly then ensure that this component is not installed. This can be verified by checking if the WKSYS schema is present in the database.
The following Oracle database versions are affected
PeteFinnigan.com Limited advises customers to apply the January 2008 CPU patch as soon as is practical. See Oracle's advisory for
details of the patch availability matrix.
Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.
PeteFinnigan.com Limited specialises in consultancy services, training and products related to all aspects of Oracle security from design, breach analysis, hardening, security audits, IT healthchecks, encryption, specialised training, products and more.
We are market leaders in providing security services to customers who need to secure data held in Oracle databases. For more details please contact info@petefinnigan.com
in the first instance.
PeteFinnigan.com Limited Oracle Security Advisory - Jan 2008 Critical Patch Update
Description
Risk
Workaround
Versions affected
Patch Information
Credit
About PeteFinnigan.com Limited