Oracle patches critical database server vulnerability

Oracle Corp. released a patch for a recently-discovered critical security vulnerability affecting its database servers.

The buffer overflow vulnerability affects all supported versions of Oracle database servers and could enable a remote attacker to compromise the data stored in Oracle and gain control over the machine hosting the database server, according to a security alert posted by Oracle. (See http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf.) Affected versions include Oracle7 Release 7.3.x, all releases of Oracle8 and 8i and Release 1 and 2 of the Oracle 9i database.

On Friday, Oracle provided an interim or "one-off" patch for two versions of its 9i database and one version of its 8i database.

A patch for Oracle 8 database version 8.0.6.3 was available for customers with extended maintenance support, but the Redwood Shores, California, company said it had no plans to provide patches for earlier versions of its database.

Oracle encouraged customers running affected versions of its database software for which patches were available to apply the patch immediately.

The vulnerability exists in code responsible for handling Create Database Link queries, which enable one Oracle database to query information stored in another database, according to security company Next Generation Security Software Ltd. (NGSSoftware) of Sutton, U.K., which discovered the vulnerability.

Attackers can create an extra long value for the Oracle database link, then attempt to use that link, causing the buffer overflow. The buffer overflow can cause a denial of service to the Oracle database and, possibly, enable attackers to execute their own attack code on the database machine, NGSSoftware said.

The Create Database Link privilege is enabled by default for the Connect role, which is a standard role assigned to almost every active Oracle account, enabling users to connect to databases. The privilege is enabled regardless of whether additional Oracle database servers exist on a network, according to NGSSoftware.

Organizations that are unable to apply the patch can protect themselves by removing the Create Database Link privilege from the Connect role. However, a careful study should first be done of the affect such a move may have on applications that use the Oracle database, Litchfield said.

In its alert, Oracle said that the vulnerability was unlikely to be exploited remotely, except in cases where the Oracle database was connected directly to the Internet, without the protection of a firewall or application server.

However, the widespread availability of the Create Database Link privilege means the vulnerability could provide an avenue of attack for an insider with low-level access to an Oracle database, enabling the insider to abscond with more sensitive information, according to David Litchfield, managing director of NGSSoftware.

The widespread use of Oracle's product to store critical information that could be the target of corporate espionage or identity theft schemes makes the database link vulnerability particularly serious, Litchfield said.

Still, the vulnerability is not easy to exploit. Attackers would need to have an advanced knowledge of the Oracle database and be able to code low level exploits using Assembly Language to take advantage of the flaw, Litchfield said.

However, once one exploit has been created, it could easily be distributed to other attackers on the Internet who could then use it to carry out attacks without any knowledge of either Oracle or advanced coding techniques, he said.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies