Call: +44 (0)1904 557620 Call
cpu
Home/cpu

PeteFinnigan.com Limited Oracle Security Advisory - October 2008 Critical Patch Update


Description

Oracle Appication Express (APEX) is a rapid development tool for developing web based ineterfaces and applications that run against an Oracle database. APEX is operated from a web browser and allows people with limited programming experience to develop professional applications. The issue located by PeteFinnigan.com Limited relates to excessive privileges assigned to the FLOWS database schema/user account.

Risk

If the APEX schemas exist then the risk is still present without application of the patch. The risk increases if the schema is accessible due to a weak password or an additional attack vectors that allows code to run as the APEX FLOWS account. Access to the schema, either directly or indirectly are required to expliot this issue. Note that normally the password for this account in a default installation is random and complex.

Workaround

If the Oracle APEX functionallity is not required either directly or indirectly then ensure that this component is not installed. This can be verified by running the following SQL statements: 

Personal Oracle Database 11g Release 11.1.0.6.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> select comp_id,comp_name,version,status
  2  from dba_registry
  3  where comp_id='APEX';

COMP_ID
------------------------------
COMP_NAME
--------------------------------------------------------------------------------

VERSION                        STATUS
------------------------------ -----------
APEX
Oracle Application Express
3.0.1.00.08                    VALID


SQL> select username from dba_users
  2  where username like 'FLOW%';

USERNAME
------------------------------
FLOWS_FILES
FLOWS_030000

SQL>

Note that default installations of 11gR1 include the APEX functionallity if a sample database is chosen or a seed database is used. This is installed whether you intend to create APEX applications or not.

If APEX is not required then remove it completely from the database. This can be done with the following commands on APEX 3.1 

 SQL> drop user FLOWS_030100 cascade;
 SQL> drop user FLOWS_FILES cascade;
 SQL> @apxremov.sql

For older versions of APEX see How do i remove APEX.

Versions affected

The following Oracle database versions are affected

Database

  • 9.2.0.8 and lower
  • 10.1.0.5 and lower
  • 10.2.0.4 and lower

Patch Information

PeteFinnigan.com Limited advises customers to apply the October 2008 CPU patch as soon as is practical. See http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html - (broken link) Oracle's advisory for details of the patch availability matrix.

Credit

Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.

About PeteFinnigan.com Limited

PeteFinnigan.com Limited specialises in providing Oracle database security consultancy services, database security training and products related to all aspects of Oracle security from design, breach analysis, hardening, security audits, IT healthchecks, encryption, specialised training, products and more.

We are market leaders in providing security services to customers who need to secure data held in Oracle databases. For more details please contact info@petefinnigan.com in the first instance.