Fundamental Oracle flaw revealed

A design decision made by Oracle architects long ago may have painted some of Oracle's largest customers into a corner. Patches have arrived, but how much will they correct?

Page 2 of 2

As mentioned, the risk of such a scenario playing out is very small except in large, highly interconnected environments where an elevated SCN can flow like a virus from server to server. But once a server is infected, there's no going back. Also, if the SCN is incremented arbitrarily -- or manually, with malicious intent -- then that 48-bit integer hard limit is suddenly not as astronomical as it might seem.

The community reactionInfoWorld contacted a number of Oracle sources for this story. Several lacked familiarity with the problem; others noted that Oracle licensing agreements prevented them from commenting on any aspect of their product usage. The head of the Independent Oracle User Group (IOUG), Andy Flower, offered this statement on the record: "This bug with the SCN number is obviously something our membership would be concerned about -- and will need to consider what sort of challenges that may present and if any mitigation strategies will be needed. I'm sure it will be a topic that some of our larger members will probably get together and discuss."

Among the Oracle experts we spoke with, Shirish Ojha, senior Oracle DBA for Logicworks, a hosting and private cloud service provider, was the most familiar with SCN issues, including the bug numbers associated with the problem. He acknowledges that although few Oracle environments are likely to encounter the problem, the consequences may be severe. "If there is a dramatic jump in SCN due to any Oracle bug, there is a minimalistic probability of breach of this seemingly high number," said Ojha, who has earned the coveted title of Oracle Certified Master. "If this occurs in a high-transaction and large interconnected Oracle architecture, this will render all interconnected Oracle databases useless in a short period of time."

Ojha continues: "If this occurs, even though its probability is low, the potential [financial] loss ... is very high." By definition, he said, the problem has the potential to affect only large Oracle customers. But "once the SCN limit is reached, there is no easy way to get out of the problem, other than shutting down all databases and rebuilding databases from scratch."

Anton Nielsen, the president of C2 Consulting and an Oracle expert, focused on the potential risk of malicious attack using an elevated SCN: "In theory, the elevated SCN attack is similar to a DoS attack in two significant ways: It can bring a system to its knees, rendering it inoperable for a significant period of time, and it can be accomplished by a user with limited permissions. While a DoS can be perpetrated by anyone with network access to a Web server, however, the elevated SCN requires a database username and password with the ability to connect."

The Oracle reactionWhen we first contacted Oracle about the SCN issue, Mark Townsend, vice president of database product management, offered this reaction to our discovery of a low-privilege method to arbitrarily increase the SCN: "The way that you're putting these [issues] together is nothing that we've seen ... we need to understand what it is that you're doing to raise the SCN by trillions. Obviously I need to have some time to have the dev people look at that. "

After much discussion and exchange of technical data, Oracle acknowledged that there were ways to increase the SCN at will. Referring to one method, Townsend said, "This is an undocumented, hidden parameter, so it was never intended for customers to discover and use this."

However, we pointed out that there were several other methods that could be used; we sent those to Oracle as well.

Oracle's remedy for these security vulnerabilities is in the series of patches present in the just-released January Oracle Critical Patch Update. These patches remove the various methods of arbitrarily increasing the SCN and implement a new method of protection, or "inoculation," as Townsend put it, for Oracle databases.

We haven't had time to exhaustively test these patches, nor do we know exactly what the "inoculation" patch does. In fact, without extensive testing, we cannot provide further details other than it claims to prevent connections from databases with sufficiently high SCN values. We do not know, for example, whether this could potentially cause problems for affected systems that need to connect with other systems.

These patches are being released for only the more recent versions of the database: Oracle 11g 11.1.0.7, 11.2.0.2, and 11.2.0.3, as well as Oracle 10g 10.1.0.5, 10.2.0.3, 10.2.0.4, and 10.2.0.5. Older versions will continue to be affected. Given the sheer number of Oracle installations older than 11.2.0.2.0 and 10.1.0.5, a large installed base will remain vulnerable.

The next stepsThe next step for Oracle admins is to inspect the SCN values of their databases. Following that, the application of the hot-backup patch is crucial, as are the follow-up patches that address the ability to arbitrarily increase the SCN value through administrative commands. However, since patches exist only for newer versions of the database, there may be no other option for older databases than to upgrade.

It's also critical that Oracle admins take great pains to prevent any unpatched Oracle database servers from connecting to any other Oracle databases within the infrastructure. This will present quite a challenge in large deployments that utilize many different Oracle versions, but it will be necessary to prevent spurious SCN growth. It appears that keeping SCN values in check will be an ongoing exercise for some Oracle shops, requiring monitoring and careful inspection of new installations down the road.

We hope that Oracle's patches and the increased visibility of this issue will provide Oracle shops with fair warning of problems they may face and arm them with at least some protection against a potentially large problem.

This article, "Fundamental Oracle flaw revealed," was originally published at InfoWorld.com. Follow the latest developments in business technology news and get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest business technology news, follow InfoWorld on Twitter.

Read more about security in InfoWorld's Security Channel.

This story, "Fundamental Oracle flaw revealed" was originally published by InfoWorld.

| 1 2 Page 2
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon