Pete Finnigan is the author of the SANS book
Oracle security step-by-step - a survival guide for Oracle security. Pete also has written many papers about Oracle security.
petefinnigan.com is the place for free Oracle security information, white papers, links to other resources, free scripts
tools and products and professional Oracle security audit services.
For over 100 Oracle security white papers see here.
For over 100 Oracle security white papers see here.
Oracle security alerts
This page concentrates on giving details about new and current Oracle security alerts. I aim to bring links to advisories from
the discoverers of the security bugs and also to the Oracle alerts themselves.
|Date||Discoverers advisory||Oracles advisory||Description|
|22-Oct-2008||APEX flows account has excessive privileges||Critial Patch Update - October 2008||Pete Finnigan of PeteFinnigan.com Limited discovered an issue with excessive privileges in the APEX flows account.|
|30-Jan-2008||Oracle Ultra-Search - Excessive privileges||Critial Patch Update - January 2008||Pete Finnigan of PeteFinnigan.com Limited discovered an issue with excessive privileges in the Oracle Ultra-Search functionallity.|
|18-Jan-2005||Directory abuse issue||Critial Patch Update - january 2005||
UPDATED 23-Jan-2005I have just been made aware of the new advisory released by Integrigy. The advisory is for the bugs Steve Kost and his company have found
in the Oracle E-Business suite, the Oracle database and also in the Oracle application server. The advisory is High Risk Security Issues in the Oracle Database and Oracle Applications Oracle Critical Patch Update – January 2005 and
details multiple bugs in the Oracle spatial package MDSYS.MD2 and a Denial of service in the Oracle Forms server and also the Oracle Reports Server leaks database passwords. Finally Steve has found multiple SQL Injection issues in the Oracle E-Business Suite.
NEW Oracle have just released the first of the new quarterly security patch updates. These are named Critical Patch Updates or (CPU). Oracles advisory details bugs found by Pete Finnigan - my advisory is included here, Alexander Kornbrust who's advisory is titled Buffer Overflow in Create Database Link in Oracle8i - 9i. David Litchfield has also released an advisory to Bugtraq titled Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i. I could not find an advisory from Integrigy (Stephen Kost) yet. I will update this when i see one put out.
Bugs in DBMS_SCHEDULER
SQL Injection via CTXSYS.DRILOAD in Oracle 8i/9i
Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i – 9i
Buffer Overflow in SYS_CONTEXT() in Oracle 9i Rel.2
|Multiple security fixes in multiple products - alert #68||
UPDATED 27-Dec-2004 NGS have released details of the 10 bugs that they have found that are part of the now infamous alert 68. Details can be found here
UPDATED 16-Sep-2004 I have just updated the links to other researchers advisories for the Oracle alert #68 as Alex Kornbrust has added detailed advisories for the three bugs that he discovered that were also fixed in Oracle alert #68. Alex found a particularly interesting SQL Injection bug in the CTXSYS.DRILOAD package where it is possible to execute almost any SQL command for instance granting yourself the DBA role. This bug can be worked around by dropping the CTXSYS user if the functionality is not needed or by revoking the PUBLIC execute privileges from CTXSYS.DRILOAD. The second bug is in the DBMS_SYSTEM.KSDWRT package procedure. This procedure can be used to write records to the alert log or to trace files or both. The DBMS_SYSTEM.KSDWRT package procedure can cause the database to crash if it can be persuaded to buffer overflow. The work around for this bug is to ensure that no user has execute privileges on DBMS_SYSTEM. The final bug Alex found is with the built in function SYS_CONTEXT. If SYS_CONTEXT is passed a crafted overly long string it can be made to cause a buffer overflow. This is an issue on Windows platforms and for 9iR2. The three links to Alex's advisories have been added here.
NEW Oracle have last night released security advisory #68 which is the first of the new monthly patch releases to be expected from Oracle. This advisory and associated patches include fixes for many bugs from many different researchers. There is little detail on the Oracle advisory as to the exact nature of the issues.
Pete Finnigan found vulnerabilities in the new scheduler functionality in 10gR1. Our advisory is included here. The bugs were found in conjunction with Jonathan Gennick of O'Reilly and Alexander Kornbrust of Red-Database-Security.
|05-Aug-2004||ssl_log() format string vulnerability announced||
NEW If you use Oracles application server 9iR1, 9iR2 or 10gR1 then you need to be aware of a format string vulnerability
announced recent by the open source community along with a fix. mod_ssl used by Oracle uses the mod_proxy hook functions used by ssl_log() so you could be vulnerable.
Check out the link above for details on the bug and the open source patches to fix the issue. Talk to Oracle about a patch to fix your installation if you do not wish to use the open source patches. Oracle have not released an advisory on this yet but as this bug is in the public domain you should be aware of it.
|05-Aug-2004||34 Security Flaws found in Oracle software||NEW Just last week David Litchfield spoke at the DEFCON conference in Las Vegas and revealed yet again new Oracle security bugs. He also spoke to the press after his presentation and told the press that he had found 34 security bugs in Oracle that he had made Oracle aware of these bugs in January and February this year and that Oracle have fixed the issues but not yet released patches. He also said that about 90% of these are serious bugs. i.e an escalation of database privileges or access to the server as a privileged user is possible. Read the two links above and see for yourself what David has to say.|
|11-Jun-2004||Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities||Unauthorized Access Vulnerabilities in Oracle E-Business Suite||
NEW Stephen Kost of Integrigy Corporation has found multiple SQL Injection vulnerabilities in the Oracle E-Business Suite 11i and Oracle applications 11.0
These issues can be exploited remotely by adding SQL statements to URL's sent to the web server. Almost all versions of Oracle applications are vulnerable as Oracle installs the code for all product
modules by default. A hacker can execute SQL statements or execute PL/SQL functions by entering them into input fields in a web page. Due to the design of Oracle applications these attacks can quickly
be used to compromise the whole of the database or applications. Even worse if the application is Internet facing then a hacker can send a single specially crafted HTTP get or post to the web server
and capture the database. It is also possible to evade IDS systems with these specially crafted URLs.
Apply the patches listed by Oracle if you user Oracle application or E-Business Suite. Also please visit Stephens site for more details on this and other alerts he has reported. He also has some excellent papers and free tools. This is advisory #67.
|22-Apr-2004||Security alerts page||NEWS ITEM It has become apparent recently that Oracle have moved the links to their security alerts page. Previously the link to the security alerts was on the front page of OTN. Now you need to click on the "Product centers" tab and then a link to the security alerts is on the right hand side. The URL of the alerts page has not changed and is still here.|
|15-Mar-2004, UPDATED 18-Apr-2004||Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache||Security vulnerabilities in Oracle 9i / 10g application server web cache||
UPDATED 18-Apr-2004Ioannis Migadakis [email@example.com][firstname.lastname@example.org] has released a detailed advisory for one of the security issues addressed by this alert.
Ioannis has given a very detailed description of this heap overflow vulnerability. It can be exploited remotely and some firewalls will not protect against it. Oracle advise that the patches available form metalink
are applied immediately. The heap overflow exists in the webcached process. If an overly long HTTP header is sent as the HTTP request method then this issue can be triggered. Ioannis goes on to show an example of a
432 byte request being sent to a windows hosted web cache. Please have a look at Ioannis's advisory and apply the patches if you use webcache.
NEW Oracle have released, a couple of days ago on the 12th of March a new Oracle security advisory on Oracle application server web cache. Details of the versions and platforms affected are available in Oracles advisory. This issue is reported as severity 1. For the issue to be exploited Web Cache must be running and listening on the web cache listener port. The type of HTTP server used does not matter. The vulnerable request must be sent to the web cache, if it is sent direct to the HTTP server this is cannot be exploited. There are no details of the actual vulnerability other than its a request to the web cache. Oracle say that the patches available from metalink should be applied and that there are no suitable work around. Please visit metalink for the patch, this is the link patch. Oracle have not credited anyone with this discovery so it must be assumed to have been discovered internally or by contract staff. This is advisory #66
|19-Feb-2004||www.sanctuminc.com||Security vulnerabilities in Oracle 9i application and database servers||NEW Amit Klein of Sanctum Inc has discovered security vulnerabilities in the Oracle application server release 1 and 2 versions 18.104.22.168 and 22.214.171.124 and 126.96.36.199 and earlier. The issues also appear in the database server release 1 and 2 versions 188.8.131.52 and 184.108.40.206. The issues are in the processing of SOAP messages where Data Type Definitions (DTD's) have been prepared to exploit the XML. SOAP and xml are installed by default in both the application server and database server if the HTTP server is installed. Therefore many default installations will be vulnerable. The risk can be reduced by removing the SOAP jar file $ORACLE_HOME/soap/lib/soap.jar if SOAP is not needed. Otherwise patch the server asap. I could not find an advisory at this stage on the Sanctum web site. This will be added when found. This is advisory #65|
|19-Feb-2004||NGSSoftware Security advisories||Security vulnerabilities in Oracle\9i database server||NEW Security vulnerabilities have been discovered by David Litchfield in the Oracle 9iR2 and 9iR1 database servers. An authenticated user with the ability to execute SQL is required to exploit these vulnerabilities. Nextgenss has no advisory dated recently but it is assumed that these vulnerabilities are included in an earlier one. They sound like SQL buffer overflow issues. These issues cannot be worked around due the nature of SQL being a core part of the Oracle database server. This is Oracles advisory #64.|
|19-Feb-2004||Multiple security vulnerabilities in Oracle9i Lite 5||Security vulnerabilities in 9i Lite||NEW Alexander Kornbrust has discovered 11 vulnerabilities in Oracle 9i Lite 5. These have all been patched. The key differences between Alex's advisory and Oracles is that Alex tells us in the history section of his advisory that there are 11 vulnerabilities and also that one of the bugs can be exploited without a valid account. Oracle say that a valid account is requird for these bugs to be exploited. If you use this product please install the patch from metalink asap. Oracle are not intending to patch versions 220.127.116.11.0 or 18.104.22.168.0 and advise customers to upgrade to 22.214.171.124.0 before applying the patches. This is Oracle alert #63.|