News
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
A software security expert warned users of Oracle Server that a software flaw could allow any user to read, modify, and delete data used by Oracle applications; he also says that Oracle may have unwittingly shown hackers how to exploit the previously unknown hole.
Alex Kornbrust of Red-Database-Security said on Monday that an article posted on Oracle's MetaLink knowledge base on Thursday identified an unpatched and previously unknown security hole in Oracle Server Enterprise Edition Version 9.2 to 10.2.0.3 that allows Oracle users with read-only privileges to delete or modify rows of data used by Oracle applications. Sample code published with the knowledgebase article showed Oracle customers how the flaw could be exploited, he said.
In an e-mail statement, an Oracle spokeswoman said the company is aware of the vulnerability Kornbrust identified and is preparing a patch to address it in a future Critical Patch Update (CPU).
Oracle removed the article from MetaLink after being informed of the security threat it posed. However, malicious hackers with access to MetaLink may have already copied the exploit code from the knowledgebase article, said Kornbrust, an expert on Oracle security.
The vulnerability affects an Oracle view called an updatable join view, which allows Oracle customers to dynamically update or delete information in underlying database tables, according to the knowledgebase article.
Kornbrust said users with SELECT privileges on a database table, which allows them to read and display data from the table, can instead delete, update, and insert new data into a table using the exploit detailed in Oracle's MetaLink article.
Kornbrust declined to publish details about the exploit, but said it is possible that malicious users may have copied the exploit code from the MetaLink article.
The problem is with Oracle's internal privilege checking routines, Kornbrust said.
The vulnerability will not affect data stored in the Oracle data dictionary, which stores the core information, such as tables of user accounts and database objects, used by the Oracle database. However, the flaw could be used to circumvent user permissions in software applications that rely on Oracle, Kornbrust told InfoWorld.
A malicious hacker would need to be able to log on to the vulnerable Oracle database, but even low level "read only" or guest accounts could be used to insert, update or delete data, he said.
"The impact of this on custom applications can be huge and eliminate the entire (user) role concept," he wrote in a post to the Full Disclosure security discussion list.
In an e-mail statement, Oracle's spokeswoman said security is a matter the company takes seriously and stands by the inherent security of its products, but that "we are always working to do better."
Oracle administrators looking for a temporary fix for the problem can remove the CREATE VIEW privilege for low-level accounts, Kornbrust said. That privilege was granted, by default, to user accounts for in versions of Oracle's database up to 10g Rel 2.
Computerworld Member Login
Realise Your VMware Vision: Storage Consolidation and Virtualization for Small to Medium Businesses
10:30 - 11am (EST, Sydney, Australia)
Wednesday, 4th June 2008
Screening live at your PC
Join Computerworld and our expert speakers:
- Jean-Marc Annonier, Research Manager, IT Spending, IDC
- Howard Porter, SMB Channels Manager, VMware
- Clive Gold, Product Marketing Manager Australia/New Zealand, EMC Corporation
to learn about the various virtualization technologies available today and what factors are driving it in small to medium businesses. Discover use cases and technologies that allow successful virtualization and storage consolidation for a more flexible IT infrastructure.
- +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future. - +
Data Management Edition #9: Data centre makeover 24/04/2008 07:43:06
This week CW Live looks at the death of the old style data centre which is undergoing its first makeover in more than 30 years. - +
IT Security Edition #9: Inside the bug trade. 16/04/2008 09:08:12
This week guidelines are released for the mandatory reporting of security breaches and we go inside the black market bug trade.
F-Secure Represented On The International Advisory Board IMPACT 2008-05-16 13:42:00+10
Quantum announces General Availability of Industry's First Solution Designed to Match De-Duplication Functionality to Specific B 2008-05-16 10:44:00+10
Hansen Technologies Extends Contract With Tokyo Electric Power Company 2008-05-16 09:44:00+10
More Than 140 Higher Education Institutions Worldwide Use RightNow on Demand CRM 2008-05-15 18:06:00+10
DST International Names Rob Gould as Director of Business Development and Strategy for Australia 2008-05-15 15:40:00+10
Extending Business Solutions across the Organisation
It is difficult for companies to overcome business challenges when employees are not connected to their business management solution. Discover Microsoft Dynamics Client for Microsoft® Office and SharePoint® Server and connect Microsoft Dynamics more closely with personal productivity solutions and much more.
