Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)
Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
|
Details Oracle Critical Patch Update October 2005 - V1.07
After analyzing the new packages provided by patch 4579182 for Oracle 10.1.0.4 on Windows I could identify the following vulnerabilities and was able to match most of the database vulnerabilities with the DBxx numbers from Oracle. I can not guarantee that all my assumptions concerning the vulnerabilities are correct.
Up to now I was not able to identify the following Vuln# from Oracle:
DB01 (sys.standard), DB04 (dbms_cdc_subscribe), DB10 (sys.utl_i18n) , DB13 (map methods), DB 14 (Intelligent Agent), DB16 (Oracle Network Services), DB26 (Programmatic interface), DB28 (sys.it), DB29 (sys.lt_ctx_pkg).
Oracle itself is using a different vulnerability naming convention. If a package (like MD2) with several procedures and functions contains several different vulnerabilities in different packages it is just 1 bug for Oracle.
On the 31-oct-2005 I reported 25 security issues with Oracle CPU October and Oracle 10g Rel. 2 to Oracle.
--- NEW --- NEW --- NEW --- NEW --- NEW --- NEW --- NEW
On the 7-nov-2005 Oracle Global Product Support sent a message to all customers using Oracle Enterprise Manager to download and re-apply Oracle CPU October again.
On the 8-nov-2005 David Litchfield posted a message on Buqtraq that the database patches for Oracle CPU October are buggy again. Few hours later Oracle Global Product Support
sent an email to all customers what additional steps are necessary to perform, if you downloaded the patch before 9-nov-2005.
Extract of Oracle's email to their customers:
[...]
1) Go to the patch directory and execute the following steps. For e.g. if $ORACLE_HOME/Patch/4560405 is the patch directory, then:
# cd $ORACLE_HOME/Patch/4560405
# $ORACLE_HOME/bin/sqlplus "/as sysdba"
SQL> shutdown
SQL> startup
SQL>ALTER SYSTEM ENABLE RESTRICTED SESSION;
SQL>@ctxcpu.sql
SQL>ALTER SYSTEM DISABLE RESTRICTED SESSION;
2) You can check for any invalid objects by executing following statement:
SQL> select OBJECT_NAME from DBA_OBJECTS where status = 'INVALID';
3) If you get any invalid objects returned from the above query, compile the invalid objects using the following commands:
# cd $ORACLE_HOME/rdbms/admin
# $ORACLE_HOME/bin/sqlplus "/as sysdba"
SQL> @utlrp.sql
Similarly, if you rollback the patch in the future, repeat the steps above to complete the de-installation after executing the Post-deinstallation steps as described in the Readme.html file.
Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.
[...]
--- NEW --- NEW --- NEW --- NEW --- NEW --- NEW --- NEW
Package |
Function/Procedure |
Granted to |
Vulnerability / Change |
KUPW$WORKER |
MAIN |
PUBLIC |
Buffer Overflow when using mult-byte characters |
KUPW$WORKER |
RECREATE_DDL |
PUBLIC |
Buffer Overflow when using mult-byte characters |
KUPM$MCP |
METADATA_FILTER |
PUBLIC |
Buffer overflow |
KUPF$FILE |
GETJOBINFOR |
PUBLIC |
SQL Injection |
KUPF$FILE |
ADD_TDX_ROW_CB |
PUBLIC |
SQL Injection |
KUPF$FILE |
NEWEXPFILE |
PUBLIC |
Vulnerability Filename (DB07) |
KUPF$FILE |
NEWIMPFILE |
PUBLIC |
Vulnerability Filename (DB07) |
KUPF$FILE |
NEWWILDCARD |
PUBLIC |
Vulnerability Filename (DB07) |
DBMS_STATS |
EXECUTE_COUNT_LSCALABLE_VALUES |
PUBLIC |
SQL Injection |
DBMS_METADATA_INT |
FETCH_VIEW_ERRORS |
EXECUTE_CATALOG_ROLE |
SQL Injection |
DBMS_METADATA_INT |
FETCH_FILTERS |
EXECUTE_CATALOG_ROLE |
SQL Injection |
DBMS_METADATA_INT |
FETCH_VIEWS |
EXECUTE_CATALOG_ROLE |
SQL Injection |
DBMS_METADATA_INT |
FETCH_COMMON |
EXECUTE_CATALOG_ROLE |
SQL Injection |
DBMS_METADATA_INT |
SET_TABLE_FILTERS |
EXECUTE_CATALOG_ROLE |
SQL Injection |
DBMS_METADATA_INT |
SET_MULTI_TABLE_FILTERS |
EXECUTE_CATALOG_ROLE |
Buffer Overflow |
DBMS_METADATA_INT |
DO_SUBST_FILTER |
EXECUTE_CATALOG_ROLE |
Buffer Overflow |
DBMS_METADATA_INT |
SUBST_FILTER |
EXECUTE_CATALOG_ROLE |
Buffer Overflow |
DBMS_METADATA_INT |
APPEND_FILTER_TEXT |
EXECUTE_CATALOG_ROLE |
Buffer Overflow |
DBMS_METADATA_INT |
GET_STMT_QUERY |
EXECUTE_CATALOG_ROLE |
Buffer Overflow |
DBMS_METADATA_INT |
NEW_SYSTEM_TRANSFORM_ENTRY |
EXECUTE_CATALOG_ROLE |
SQL Injection |
DBMS_EXPORT_EXTENSION |
GET_DOMAIN_INDEX_METADATA |
|
SQL Injection (DB09) |
DBMS_EXPORT_EXTENSION |
GET_DOMAIN_INDEX_TABLES |
|
SQL Injection (DB09) |
DBMS_EXPORT_EXTENSION |
GET_V2_DOMAIN_INDEX_TABLES |
|
SQL Injection (DB09) |
DBMS_LOGSTDBY |
SKIP_TRANSACTION |
|
Parameter Validation issue (DB06) |
DBMS_LOGSTDBY |
UNSKIP_TRANSACTION |
|
Parameter Validation issue (DB06) |
DBMS_CDC_IMPDP |
IMPORT_CHANGE_TABLE |
PUBLIC |
Parameter Validation issue (DB03, DB02) |
DBMS_CDC_DPUTIL |
VALID_TABLE |
PUBLIC |
Parameter Validation issue (DB05) |
CWM2_OLAP_AW_AWUTIL |
GETTOKENATINDEX |
|
Buffer Overflow |
CWM2_OLAP_AW_AWUTIL |
OPENFILE |
|
Buffer Overflow |
CWM2_OLAP_AW_AWUTIL |
OPENDEBUGFILE |
|
Buffer Overflow |
CWM2_OLAP_AW_AWUTIL |
PARSELIMITMAP |
|
Buffer Overflow |
SDO_GEOM |
RELATE |
|
Buffer Overflow |
SDO_GEOR_UTL |
CREATEDMLTRIGGER |
|
SQL Injection |
MD2 |
INTERACT |
|
Buffer Overflow (DB22) |
MD2 |
RELATE |
|
Buffer Overflow (DB22) |
MD2 |
TESSELLATE |
|
Buffer Overflow (DB22) |
MD2 |
TESSELLATE |
|
SQL Injection (DB22) |
MD2 |
TESSELLATE_FIXED |
|
Buffer Overflow (DB22) |
MD2 |
TESSELLATE_FIXED |
|
SQL Injection (DB22) |
MD2 |
SDO_READ_LAYER |
|
Buffer Overflow (DB22) |
MD2 |
TEST_LOADGEOM |
|
Buffer Overflow (DB22) |
SDO_IDX |
IMP_EXP |
|
SQL Injection (DB24) |
SDO_IDX |
CMT_IDX_CHNGS |
|
SQL Injection (DB24) |
SDO_PRIDX |
GEN_RID_RANGE_BY_AREA |
|
SQL Injection (DB21) |
SDO_PRIDX |
GEN_RID_RANGE |
|
SQL Injection (DB25) |
RTREE_IDX |
INDEX_TRUNCATE |
|
SQL Injection (DB23) |
RTREE_IDX |
POPULATE_ROOT_MBRS |
|
SQL Injection (DB23) |
SAMCLUST_IMP_T |
ODCITABLESTART |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
PREDICATED_JOIN |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
BEST_AGGREGATE_LOCATIONS |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
SIMPLIFY_GEOMETRY |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
BIN_GEOMETRY |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
BIN_LAYER |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
AGGREGATES_FOR_GEOMETRY |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
AGGREGATES_FOR_LAYERS |
|
SQL Injection (DB20) |
SAMCLUST_IMP_T |
TILED_AGGREGATES |
|
SQL Injection (DB20) |
MDPRVT_IDX |
EXECUTE_INSERT |
|
SQL Injection |
MDPRVT_IDX |
EXECUTE_DELETE |
|
SQL Injection |
MDPRVT_IDX |
EXECUTE_UPDATE |
|
SQL Injection |
MDPRVT_IDX |
EXECUTE_GUPDATE |
|
SQL Injection |
MDPRVT_IDX |
CRT_DUMMY_IDX |
|
SQL Injection |
MDPRVT_IDX |
EXCHANGE |
|
SQL Injection |
SDO_TPIDX |
INDEX_UPDATE |
|
SQL Injection |
SDO_TPIDX |
INDEX_INSERT |
|
SQL Injection |
SDO_TPIDX |
INDEX_DELETE |
|
SQL Injection |
|
ODCIINDEXSPLITPARTITION |
|
SQL Injection |
SDO_TUNE |
AVG_DELTAS_FOR_LAYER |
|
SQL Injection (DB17) |
SDO_TUNE |
EXTENT_OF_LAYERS |
|
SQL Injection (DB17) |
SDO_TUNE |
ESTIMATE_TILING_LEVEL |
|
SQL Injection (DB17) |
SDO_TUNE |
EXTENT_OF |
|
SQL Injection (DB17) |
SDO_TUNE |
AVERAGE_MBR |
|
SQL Injection (DB17) |
SDO_TUNE |
HISTOGRAM_ANALYSIS |
|
SQL Injection (DB17) |
SDO_TUNE |
MIX_INFO |
|
SQL Injection (DB17) |
SDO_TUNE |
SETUP_TEMP_LAYER |
|
SQL Injection (DB17) |
SDO_TUNE |
SAMPLE_GEOMS |
|
SQL Injection (DB17) |
SDO_TUNE |
CLEANUP_TEMP_LAYER |
|
SQL Injection (DB17) |
SDO_TUNE |
ESTIMATE_TILING_TIME |
|
SQL Injection (DB17) |
SDO_TUNE |
ESTIMATE_TOTAL_NUMTILES |
|
SQL Injection (DB17) |
SDO_TUNE |
ESTIMATE_INDEX_PERFORMANCE |
|
SQL Injection (DB17) |
SDO_TUNE |
AVG_DELTAS_OF_OBJECTS |
|
SQL Injection (DB17) |
SDO_TUNE |
EXTENT_OF_OBJECTS |
|
SQL Injection (DB17) |
SDO_TUNE |
ESTIMATE_TILING_LEVEL |
|
SQL Injection (DB17) |
SDO_TUNE |
EXTENT_OF |
|
SQL Injection (DB17) |
SDO_TUNE |
AVERAGE_MBR |
|
SQL Injection (DB17) |
SDO_TUNE |
SETUP_TEMP_TABLE |
|
SQL Injection (DB17) |
SDO_TUNE |
SAMPLE_GEOMS |
|
SQL Injection (DB17) |
SDO_TUNE |
CLEANUP_TEMP_TABLE |
|
SQL Injection (DB17) |
SDO_TUNE |
ESTIMATE_RTREE_INDEX_SIZE |
|
SQL Injection (DB17) |
SDO_UTIL |
PREPARE_FOR_TTS |
|
SQL Injection (DB18) |
|
SDO_JOIN |
|
SQL Injection (DB19) |
PBSDE |
INIT |
PUBLIC
Workaround - use at own risk!!!:
revoke execute on sys.pbsde from public;
|
Buffer Overflow(DB27) + Exploit |
dbms_snapshot |
unregister_mview |
PUBLIC |
Buffer Overflow(DB11) |
dbms_snapshot |
register_mview |
PUBLIC |
Buffer Overflow(DB11) |
dbms_snapshot |
unregister_snapshot |
PUBLIC |
Buffer Overflow(DB12) |
dbms_snapshot |
register_snapshot |
PUBLIC |
Buffer Overflow(DB12) |
dbms_snapshot_utl |
unregister_snapshot |
PUBLIC |
Buffer Overflow(DB12) |
dbms_snapshot_utl |
register_snapshot |
PUBLIC |
Buffer Overflow(DB12) |
lbac_sysdba (LABEL Security) |
|
|
Buffer Overflow(DB15) |
dbms_scheduler |
|
PUBLIC |
Escalate privileges after running a job (DB08) |
References
History
- 9-nov-2005 - 1.07 - Problems with ctxsys & 8.1.7.4 and 9i Rel. 1 added
- 2-nov-2005 - 1.06 - History and References added
© 2005 by Red-Database-Security GmbH - last update 09-nov-2005
|
Oracle Patch Policy
Vulnerability Fixing Order of Oracke Vulnerabilities
- Main line of Code
- New Products (e.g. 10g Rel. 2)
- Patchsets for older products (e.g. 9.2.0.7)
- Critical Patch Update
More information available on Oracle OTN:
Security Vulnerability Fixing Policy and Process
|