The Oracle reactionWhen we first contacted Oracle about the SCN issue, Mark Townsend, vice president of database product management, offered this reaction to our discovery of a low-privilege method to arbitrarily increase the SCN: "The way that you're putting these [issues] together is nothing that we've seen ... we need to understand what it is that you're doing to raise the SCN by trillions. Obviously I need to have some time to have the dev people look at that. "
After much discussion and exchange of technical data, Oracle acknowledged that there were ways to increase the SCN at will. Referring to one method, Townsend said, "This is an undocumented, hidden parameter, so it was never intended for customers to discover and use this."
However, we pointed out that there were several other methods that could be used; we sent those to Oracle as well.
Oracle's remedy for these security vulnerabilities is in the series of patches present in the just-released January Oracle Critical Patch Update. These patches remove the various methods of arbitrarily increasing the SCN and implement a new method of protection, or "inoculation," as Townsend put it, for Oracle databases.
We haven't had time to exhaustively test these patches, nor do we know exactly what the "inoculation" patch does. In fact, without extensive testing, we cannot provide further details other than it claims to prevent connections from databases with sufficiently high SCN values. We do not know, for example, whether this could potentially cause problems for affected systems that need to connect with other systems.
These patches are being released for only the more recent versions of the database: Oracle 11g 220.127.116.11, 18.104.22.168, and 22.214.171.124, as well as Oracle 10g 10.1.0.5, 10.2.0.3, 10.2.0.4, and 10.2.0.5. Older versions will continue to be affected. Given the sheer number of Oracle installations older than 126.96.36.199.0 and 10.1.0.5, a large installed base will remain vulnerable.
The next stepsThe next step for Oracle admins is to inspect the SCN values of their databases. Following that, the application of the hot-backup patch is crucial, as are the follow-up patches that address the ability to arbitrarily increase the SCN value through administrative commands. However, since patches exist only for newer versions of the database, there may be no other option for older databases than to upgrade.