Oracle releases unscheduled fix for critical vulnerability

At the recent Black Hat conference in Las Vegas, security expert David Litchfield revealed a zero day exploit in Oracle's database server. Oracle has now plugged this vulnerability with an unscheduled patch. Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 and 11.2.0.3 are all affected, though the July 2012 patch update contained a fix for the latter two.

The bug enables attackers to obtain the privileges of the SYSDBA user. To do so, they require a user name, password, CREATE TABLE and CREATE PROCEDURE privileges and EXECUTE privileges for the DBMS_STATS package. The Oracle Text package also needs to be installed which is typically the case.

Oracle is advising users to install the patch as soon as possible, with exploits for the vulnerability already publicly available. According to Oracle, the bug may also be present in older versions which are no longer supported; the company will not be releasing a fix for these versions.

Oracle describes the bug, which has been catalogued as CVE-2012-3132, only in very general terms. A little more detail can be found in a blog posting by Alex Rothacker of Team Shatter. He points out that normal database users should not possess the required privileges, but that developers generally do.

Rothacker advises administrators to only assign CREATE TABLE and CREATE PROCEDURE privileges and EXECUTE privileges for DBMS_STATS and CTXSYS.CTX_DDL to users who really need them. In addition, all calls to CREATE INDEX with INDEXTYPE CTXSYS.CONTEXT and to DBMS_STATS.GATHER_TABLE_STATS should be monitored. Indexes for columns which include '|| or ||' in the column name may indicate a potential attack.

Since version 9i, this index type has been used in Oracle's Text package to index large documents which can also be stored in binary formats, such as PDF and DOC. The GATHER_TABLE_STATS routine in the DBMS_STATS package can be used to obtain information on a table and its indexes.

(djwm)