Oracle sweeps bug under rug

Without making an official announcement and after directly notifying only customers who pay for support, Oracle last month posted a patch on its Web site for a bug that leaves customers running Oracle8 databases on Unix vulnerable to hackers.

The bug, which affects Oracle8.0.3, 8.0.4, 8.0.5, and 8.1.5, all running on Unix, allows a hacker who has accessed a Unix server to find an application called oratclsh, which is associated with the Intelligent Agent remote administration feature in Oracle8. Once a hacker has found that application, they then have the ability to run commands on the Unix server using the Tcl scripting language, leaving them just a few steps from access to the same privileges as the master system administrator.

"Anyone with half a brain is exactly three commands away from full root access. Anyone with a whole brain is exactly one command away from full root access," noted a Web posting from Dan Sugalski, a systems administrator at the Oregon University System.

Once root access is established, the hacker could access virtually all the information stored on a company's database, and could even disable portions of the system, making the bug a serious threat to the security of vital corporate information.

With such potential for catastrophe, many find it surprising that there has yet to be an official announcement regarding the bug. Jeremy Burton, vice president of server marketing at Oracle and Oracle Technology Network, however, said he does not feel the company has ignored the bug, but rather taken all necessary steps to ensure the security of customers' solutions.

"As far as security is concerned, you really try to fine line as far as how you notify customers," said Burton. "There are issues that are really important that could cause a significant breach, and then those that aren't quite as important, and that's where we've categorised this one. Obviously if we'd considered this to be a major risk, we'd have been more proactive in notifying our customers."

Paying support customers were notified of the bug and a patch was posted to the frequently asked questions portion of Oracle's MetaLinks support site in early May. In addition, a notice was posted to the Oracle Technology Network and the Oracle Web site in hopes of catching the eye of unsupported customers.

One Oracle official noted that the danger for unsupported users could be minimal anyway, considering that most unsupported users are probably running older systems that are not effected by the bug. Oracle further downplayed the bug by pointing out that anyone attempting to breach the database's security would first have to hack into the Unix system, which is no small feat.

Despite Oracle's claims that the bug is not serious and customers have been notified, there is still concern that many users may have fallen through the cracks and be susceptible to hackers.

In what could be a telling sign of how little word of the bug has spread, one Oracle user who had not yet heard of the bug was Michael Abbey, the vice president of conferences for the Oracle User Group. In addition, users like Sugalski who were among the first to recognise the existence of the bug, have yet to be officially notified.

"We've never received anything proactive from Oracle, but fortunately we were aware of the bug from the start," said Sugalski. "My concern is that there are a lot of people out there who have downloaded the Linux version of the product and don't know that they are in danger."

According to Oracle's Burton, though, those customers have been considered through the posting to the Oracle Technology Network, which is where most of those customers would have downloaded the software in the first place.

Abbey agreed with Burton's assessment, noting that the bug should be of little concern considering Oracle's traditionally strong track record for quality and pointing out that most software packages have bugs and it is just something customers live with.

Join the newsletter!

Or
Error: Please check your email address.

More about Oracle

Show Comments