Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle's correction to the April CPU patch email has been posted to Bugtraq"] [Next entry: "New Oracle Security Forum opened"]

[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package



I also noticed another post to the bugtraq mailing list this evening from Cesar Cerrudo of Argeniss titled "[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package". The post describes the issue that Esteban Martinez Fayo found some months ago in the package OLAPSYS.CWM2_OLAP_AW_AWUTIL. Basically Oracle told Esteban that the issue was fixed in the July CPU but when he tested a patched 9iR2 system it was not fixed, 10gR1 was fixed. Esteban and Cesar contacted Oracle's security team and asked why it was not fixed, the said "Our development teams neglected to do the backports. We are working on creating those backports now". Oracle has said the issue will be fixed in the October CPU. Argeniss say this is high risk vulnerability and Oracle should care more about protecting customers so they have released a workaround in the meantime. This workaround can be found here : http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql - (broken link) http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql

This workaround uses a procedure to loop through all users and roles granted execute privileges on CWM2_OLAP_AW_AWUTIL and also from PUBLIC. Beware that running this could break applications that depend on these execute privileges. The script states this at the top.