Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Oracle Issues Fix for Faulty DB Server Patch



 By: Ryan Naraine
2005-07-08
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
After a report from a private security research firm that the original patch fails to address an exploitable flaw, Oracle tries again.

Enterprise software giant Oracle has released a fix for an incomplete database server patch after a private security research outfit discovered that the underlying vulnerability was never addressed.

Oracle Corp.s patch fix comes almost a month to the day after David Litchfield, managing director at United Kingdom-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention.

The April "Critical Patch Update" (available here as a PDF) addressed 70 security flaws in Oracle database and application server products, but during routine testing, Litchfield discovered that the patch was sending scripts to the wrong directory and that the source of the actual flaw was not addressed.

"Whilst analyzing the April update, I noticed some failures in it, which meant certain issues the patch was supposed to fix were actually left unfixed," Litchfield said in an interview with Ziff Davis Internet News.

To read more about criticisms of Oracles database-security patching strategy, click here.

Resource Library:
"I was looking at the patch and testing it against the vulnerability, and, after properly applying it on a test server, I noticed that the vulnerability still existed. One of the Java classes wasnt loading properly," Litchfield said.

Digging deeper, Litchfield said he found that the actual source of the problem lies within the underlying Java class files. "The April [patch update] fails to properly load the newer patched classes, which means that these problems can still be exploited," he added, warning that all platforms are affected by the incomplete patch.

On Windows, both 32 bit and 64 bit, Litchfield detected a second problem that could be exploited to allow a guest user with low privileges to gain full administrative rights to the database. "Once you elevate those privileges, you can do anything you want with that database," Litchfield added.

Read details here about the outcome of Sybases attempt to silence a security research company.

Litchfield, who is well regarded for his research work on security in database products, said the privilege-escalation flaw could allow an attacker to run arbitrary SQL by abusing the "CTXSYS.DRILOAD" package to gain DBA privileges.

"This was discovered by multiple persons and was initially fixed in August 2004. However, the April Critical Patch Update copies the updated SQL script file to the wrong directory, and if previous patches [August 2004 or January 2005] have not applied then you will still be vulnerable to this attack even if the April CPU has been applied," he explained in a public advisory.

Litchfield said he reported the problems to Oracle in early June and confirmed that the company has made the necessary corrections. Oracle customers can find updated information on the MetaLink paid customer support portal.

"They [Oracle] have sent out e-mail notices to everyone who downloaded those patches. There is updated documentation on Metalink that explains what steps were needed to fix the issues properly."

"Oracle customers should know that if they dont take these extra steps, they are still vulnerable to a very serious vulnerability," Litchfield added.

Click here to read Associate Editor Lisa Vaas commentary on Oracles approach to database security.

Efforts by Ziff Davis Internet News to contact Oracle were not successful.

Oracle has been heavily criticized in the past for a lack of haste in addressing critical security flaws. The issue came to a head at the BlackHat briefings in Las Vegas last summer when Litchfield released details on more than two dozen security holes in Oracle products that had not been fixed.

At the time, Oracle confirmed that it was aware of the vulnerabilities—some of them critical—for several months.

The public relations fallout from that incident prompted Oracle to shift to a quarterly patch cycle, in which four "Critical Patch Updates" will be posted every year.

Oracles next batch of patches is due next July 12, the same day that Microsoft Corp. is scheduled to ship three security bulletins.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Oracle Issues Fix for Faulty DB Server Patch
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ks8q8cH)ْcm,k)fV(8H.I1sO/vKZ#='NŖ4Fw?I9wtô c }:I}"I~x#(3`Vϩ9AzNɑ1,)~-sjscj55Gl$J~x'AT{j x̨9uΜO9קԗoO~e0.ڶAI6*6O0o?'׼;A:W;YJL~'@DR˅&- >'NwjQ2ZN-ԊhGZAAr,f3}3+i*5$NxВM-AoA>EN,[sAT4 行ĠK`W:kS>m]?_r\w.Z>9]VsGR,][ٻS7?A*Gm'!|emxZ.3334!E&M w&|hx }# 00w9&z(tH h&r<kIOmLJ.?6 [ G`rɭ 5y05ݻ#i`y1yjQ?]*~ `=w= X_ X.{s6G~>2-01%ޥ6 q0y z[ dQJ d$@!"-i]NP@Ar68 -8,rrd++~Gy-#!bTLZ(ݞH:wP-KEscMX*QY,p[/ Pf%)5{~X9yDMf#T`B[ụLKak`Dݚ,#M& yz {[W5´ ҄%(𝀴t0OjHL\U}Ge٢szn I߱n)y@6Êi\ǺdMjEsӆH|Ehs 2!j̹æXgu׵LjTN`3!WqlМwaMߨÕ~|ÈIuO'ܑ-ӾRoBo+څP!_.dI_fMblȌu>I!VB17OH wf@nmHݤ|r%eR{`MLE2a==%ӻnR/0}̙SĠ3BZSOs\| g:[6[7˦EI8Jەi]jk-T8W7Bɶ/²xcP66R(kυ5Ӳ =2PC6*&C 7s(= > XTM.R?>2ai;jISJR{5>k憭,0!/Ȁ2n(,قrir1::NXs]OL.n9 8[xyfbqgEae@ΨԪLs0z ǁ/ı@b== Czn//+ i{u]ؓ.\՜L|zn P[az{>8`Tfla81-&twֳj 1SQ_.)UQD[d"vd\6˰@e9ִ&3q,˹F z4n?0RKkڋPxP߄SsDL$T2`'7s] eaaȓuEoXz1SXe;;pM2vH} [̝gjQIBM RN]&Xk5F>սL:㼝 XA\ ]DrAab D$T `nR@:kRUԓxZC@^~qJ%$tX2H}:^x>S7Ϗ9(ghW9d*>'HR-ʪZJ _>2z4Ebw8t&}y _˻3 ?M4/~QjCzMp`>s@,|rqZEYO`s!AvЎ@OeƚR*%1Pc0u NjZ`Gwf^=/YQwןlf18D"sLΨ-/|o@ pe>#yl)ctxl-qR#Y w7䪢-} K3]V< OQ: lz#x f`QtEa&Ji.E `wAMz*O1)"cqi@?@㺦qž,JV-"X+CbRLh^;p ZN&ZFB-†8k*Yr&"wls7ѻMslޥ0͜96@yZI@j5VZ`gOpTcHj[AO`wTˠfj 㦧RRU@V_Aұg / _5Ǿ/<]~?4򆶾ʐihG`dQ rHU m{\ c4w{u]qTYe)(@qg@f "RrEuY;tЋ­7*6P#IȕO?"⣨j]7 J \Z/ha~%36B-[`,@N|CO]kl`ۤ\ASf<^ΈےCtK37~ 6Fu)7 u͋ - OM=)hQˤ̓G\\7hctDoSwgucć)us#\Դ"Hw ضRsG?%DaqC` H\WKdQ"Y @rrjT Gr2RDBZNBq<:N+tCN\6ǷWXdK!Mo$DDOCVjgX& 21ǟM1Ή{}VU%&BP`&w,OɪO@T #N{?J䏽;!)hlw1NC <{kq >*u.ZUWO-m~h4.[-tJj2i&A)h]1~̮VsAцۧ0Z@Ɂ^W6>t.ėtOz+~w.R1ARdGypqȒu8*Dyyp|ly0amG 'Lk4 D8 mÀ@ c]WX0pz)vӱB3ZMUc | ڠ<mFpv[_aݪ,$20! I+U:?>   cJ=!ohu/ё{kD&-bT0_RJI"Q6#=)#WYY}һjr3Kl}AN&Nd~vZ-[N7S+d$?]Я8݃͟*VRmZϤw~@Hy 9/g`IB8qen1~xA\}n_^iԎ(%4 \(?m[=`RrPR)&bz&I;ɰǺ%uyjdJ1%SBt 02L P6,O&y=%lQ1 i(KBih%lbTHRoOټ6<1ޥ]晿BNmK$cΖfė4 y) -|8SB[(GH T䵤 Zzl*$;qbwy`0!9˫|1{~T*۾m3XxtqH4S `/#9ʼSs,`Z GW ./Cv6cNȣ&k{?ȔK3>^g]s>ͥ0i8;_=?P.zSgOɵ2sXs\ Zpl+ҿDž³bpi?#iWyepbAg$H~"`@GL|9yÿ§ ' [s]3'伉q+ɛnۨ+=YluKdؗ{vOKn4]9鈧Usd{I2$BUUk ۻɾZEVeΜtї^t;>rix7YU x3D?.ye9}doxzooo=ȥq=*~O Ϻ7]f+wB%mJK{9nhp;D%ýqQ#y∶K`!j>b_{k&bi4W3ZT=}~[fvÏ9!i ј@.-vc鼳2> A#Vorl8w@rs&cx2HB%LwVp*gcc;/F#%k&ySϱm @|Րr/hZ1i`jcZ/p8|+؊wfo_O6oNւ1v̙[ʈ1௥WMnc b |kI5%??=3q ɛx{7d\ڊ}fK~~ fv/ihx5taV،SLsQW Z Lt/r3cX bi$&5 fIX-ԃt1!KO}Sġ~=jϞj²GS R=l@\420fS邆g/kcXP jyI u£NHJ]`!iڀcb~ rG{YsYה71%o v%\+,h[Me"/CkgF1@(# psg`y@)U+9!;nJ{ f[l,&,˨y3N8-ĦJV#Mt1 /c3peɐbPGvG,3GvT;M͂= n %ӏC&6=x7XGٛ%WCޮ8ڑD",$J0wR}260 fe3MmLP߄_d`XFifws21z| }p˺E`h]{Y,֦G\*J4Z)1Zd^=QD˂u;a@v{j1Ա \/x9Z{]4%J?y#S?bP(1 rS=$L`y~Wv~ic4]ɺ|A|ZT<ҩy/:N1:8$f&<(&Dlv8\ H8@Yù`3"C4hJ&) Ӱ^!a]~ wIR*R}'+U%Mۖ O8KJ!pI=&4ܳv~I=6O,c\̍*v{Tcմ. AK]0o KeeB(^7p!3@ ci_GCn3d4?r~_StoN5_,] "⭕odd8x– NNZYsdzI* cv`vu #ЉK}Pt`-&RVT D<$Q%a ]AV%,aoj^:_%U_|)͗/Ќ{N` j{69^ٔ +n'0:x] {O8غdPzqbֆ53aC F"]9!u)YBG;@ JMdmX c4AЄf4 5E/LYoIhtI޵utAK>;,!Ja&.3vH${9!$uc;w5TzΠ$DSxK[RMm/o@N_B 1B5Ǧfl@2gx}C"P|HP<# d쎄S!䡞݀݀݀݀ߐ*ʷU3`_,`I,,CKhYXR} ש3rp["Bj;>ml]k;+䑙bRƫN9z0%ۅK\ 0:#Ja7jx>6>64jI:`v쉵UHEb.h1p a3a$v0޲D8$thE雡g"Dco;H 1wNAuϤ!!V+P~V4ZyGg;;[#aH!}ߔtأao;ƶ57,SAs}~X]heP<gsg +{re'_g[^G.jʸi븺e):}K\A7{ɘ/c$#ŷja7ǘ^1DSn{9Twf yfAS .čm#l0M#ۀږձ6ixQ| ȪhֲƑ=:wnJY,eeXy3][c ~2oH@85Q/Nl'D(&w% 8g[[Ɠ@w< Í$]݃^8=_}"\&:F?|_ӗ!K{~i[ C b}`2]Ӳ뿓$yjz`'ݴUX,hMVÙBtsanѯ vExo~m61»67w-ǘXf]G?ځrUt7 fZP ,%\k1u'xOC g AKuf^Oq\dIw'y{Ddm?{Y?`#tw$b䭽d??~܋n6!?sLuя{'駠T#1Ao-!Dߑ~x Ui;@#ߙfו'*ZYݵ#𪝊Zg Knb,.8]Ԑ5|51 ۓ9>dw <P^?ˢǏ{EED_NtQ+"$PVôL?@O]ILa!-(!-DRqaIzF&sLj$9MIuMMm&^e 0ka4 '"l\M!'q/丱5ˋCAE& :v<ƽ7 KflǛԁacNͦ"f xѴëB*sN /*JM]ϹOQ.K]ZXuZ.{ff@]&^"r\餷 G]#DXtpU) &Ǹ,GZj>A1Rhs05̈Gbv mz^CJ;7ܕ6.W@O[jkhDP"ͪDpd:{ xˢ-*< ;,)˂=쒢D:&8FtkeL٦ƗRµIʥ rQ D%R&E"#m徭J~RRꑻ!߽0|US*Z <\ GZ9BI\':g~d䥒V,T˩uz MqFp}b 7Zl]PG J6_KO~W1|}.[œ>V-V]M5>^(]LqBs҇5o4l}ޝKj߶$|͉ɒB ;ʎݢsf;6vfRjW >P;>sđۋuNhO0V`Wlfm?ڒVo5JzK(ӘFL@rۺm6Aұ`߷b~msYlL-h9mfixo21ti< 4{<<ґ(W' #n%YVmIr .kh>a{' )ﵪ(5 /UP8AnK]ݴX;Њo.>So+ɀ c 4rt7\9P[08@`mʼϴ@'BSxCGd.$ q+q5`G`<$nXV{+$νOg-<-cWld"$@D_Ѿn?"=4;}?o>zxX2kM&Cߑ7-0LӆV<&A>a:$.+JAW9^¼t'lˮmкbU? |9@G)׼9Ĕ#Y ͸޾xuWjJGTw.2OaDP=SbX"?bR1Q(pxi|wv`nOKZa kE$06 n#B s23DDS^ôւiĄA6(ӃDϽ%ccZ|,{{GǙ;fQWs@byH- 0N[.JUE d3w  sn Q@J ͍$ԇ:m i0ssXg- .E.ӻq{f+[^m1fi5KqfldaQ(b:Mt?,|Ǯ%nNKM b$!%H$bcx=9`1A2lz㍡wgؗ?0C(.ŌCZQJФ*t+R0cU-%+_SoSTwV7XKz+i+K9Iˑ ;^n)^p@|LCSu0!XF 9]&9jIqs9.qw'5} '\MGݩ;ǽ֗Es15NM<Ņ·_s}mP0mw %EfvʂT{S.ͅdUh,Y3U94dG_14e8q@O38Sv}YQJab_)oZW~_V\k) <VՑt.5]rRO-mq4@Q`1D GM&7ba>o Hk&5+<r<(3_3ʯjsI(Qރ^F9R`sy pjg@Si~>@?d'(ku6wZFQd3r'~F(gmfOw~~}v3 ͠Oы_|gP~Q7([Fyʻ0{s?0׃2ː?=/ r qAeW@?WӇ3߇3?dP埀>eg(U1πr 3ڿΠ = >k^픊8kgK " SV9,.N3kP! g  z-22B ~/{'sg+I\WKM0TntEճK\7cn%:vņ^_Rq6ևɧ {xuCWeC=z}􇠮yP͹Ȫ)N(P7Ejn2h s{)螡zȧ N 7\zќ83 P7c:ɹT.jZQo\)Uʹ俒+vh""C& ATMVYI0ZYr(RB4|O۴W)Y7tCsc<{+4wаY-}?"z%~@NM6"/cZA6of)3^սD<'M~ m

&\ʠaCao/Yb+F;c"4Nwz:Ueijby0\9+h Lov[UݢQM Y9NW&3b" >oٔ^^C N*˗ X627'vY?['lybb)mԿ+cAErlyѻKd>`M"X5R'ȹGӟ}Q!je: /hpx7&D`a\m8ŊI(q0 Sփݍ/Yjb5v`va5v"^J'@0AHm omF3FЯٵǖ1x_05:%xlӍ(1vj~ 7ۅN,gaE"<T# AcBl8sXs/I>7=Ks}v`" ~6gIK-}x= %$Id`-߀93t^yȡ=Gi\tEeבe$&J1Z{JF!-]:q&Ѱ[bAtN[a>$N*׹d$3uggsI>~P~ Sچqf;W)^{3D3$ưz< H :BVF&3n=GIjg_7 BF3q< Y8[T"bNm& ”s]q퀗?4mOTx/F_| 3+R1=zH|k,XoϩD % #^Πb_wsԷeEQ&PL-8i*iůu Kw H, 7AQ^+yJ>? T@| %\6LDRg}J0~޶%3[L:>A{cU|ٱs]Ә3L1А8v2COA#t +e[a O2C24^wVulם8G dd9a7cx_u`'#~"3V[œA6hxM@(_Gْk0F=u}^n02)1<&`ߟ2"L- Ԣsg)+],by٨3&g0lB eȱ(lyJ͜GċOW<2oZP/jdV(],ӟ~H϶Q5¶`:Vڕ*zYD1e~}=3Ӳg(q72,@PތpPэk+Wei$ցi/)>ΘRnãÍGHǸӭ [ qy6` <Щ1D\bv9E9b7M ѨpSTؕEgld3^kggycD]Y>8Ѝ O1ngNb *φŀ𞭟{̾ 6 ^f+1ݱOet g)dv̅2 !δyyu~ҕ^)If`cQd+8*)ؐrkO`4bO1,F,oԛN*)Asa#Dl ;ApV?\:9~0#ŸEr,e ZN~LʙcM-^chX$֬-"K께#yQs3vnB .&DW6K5Ƙb޻Yy&L6 92lv* X>ˣŬ"&D0Ȯ'R:tsh{h۟X T*@a$9R3 ˊEj z.t3\04xqBaʩȩ(v}_\%hw2b5ŠӞ_yfϸȅv1,#6ĊN|]弽r1^@:mv;_yH%L=C QFk;O(QF2p68\S|;]`gd^z<%-ӻj D>Vju.>$+e={`o gs7*OР~oQWVIFv3HZ\֓Rvᷮ QBlS2Fu̹D/5^JB\sjHr0>d֊֎Mӝo3a-dcˤ_ lX:)