Oracle releases unscheduled fix for critical vulnerability
At the recent Black Hat conference in Las Vegas, security expert David Litchfield revealed a zero day exploit in Oracle's database server. Oracle has now plugged this vulnerability with an unscheduled patch. Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 and 11.2.0.3 are all affected, though the July 2012 patch update contained a fix for the latter two.
The bug enables attackers to obtain the privileges of the SYSDBA user. To do so, they require a user name, password, CREATE TABLE
and CREATE PROCEDURE
privileges and EXECUTE
privileges for the DBMS_STATS
package. The Oracle Text package also needs to be installed which is typically the case.
Oracle is advising users to install the patch as soon as possible, with exploits for the vulnerability already publicly available. According to Oracle, the bug may also be present in older versions which are no longer supported; the company will not be releasing a fix for these versions.
Oracle describes the bug, which has been catalogued as CVE-2012-3132, only in very general terms. A little more detail can be found in a blog posting by Alex Rothacker of Team Shatter. He points out that normal database users should not possess the required privileges, but that developers generally do.
Rothacker advises administrators to only assign CREATE TABLE
and CREATE PROCEDURE
privileges and EXECUTE
privileges for DBMS_STATS
and CTXSYS.CTX_DDL
to users who really need them. In addition, all calls to CREATE INDEX
with INDEXTYPE CTXSYS.CONTEXT
and to DBMS_STATS.GATHER_TABLE_STATS
should be monitored. Indexes for columns which include '||
or ||'
in the column name may indicate a potential attack.
Since version 9i, this index type has been used in Oracle's Text package to index large documents which can also be stored in binary formats, such as PDF and DOC. The GATHER_TABLE_STATS
routine in the DBMS_STATS
package can be used to obtain information on a table and its indexes.
(djwm)