The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10. The hole is "very severe" and allows users to bypass the Oracle databases authentication and become administrative "super users," according to Shlomo Kramer, CEO of Imperva, which discovered the hole. However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue.
Oracle Corp. said that it patches security holes in the order of their severity and categorized DB18 as a serious vulnerability with the potential for wide impact in the January Critical Patch Update [CPU], according to an e-mail statement.
Researchers in Impervas Application Defense Center discovered the security hole "a few months ago," though it has existed for years, Kramer said. "It goes all the way back to Version 8, but it wasnt patched until now."
The vulnerability allows any user of an Oracle database, including guest account users, to turn themselves into database administrators just by sending a SQL (Structured Query Language) command to the database during log-in, Kramer said.
The security hole is part of the standard user authentication mechanism used by Oracle database clients, according to information published by Imperva.
That authentication consists of two separate client requests and server responses.
By manipulating a variable in one of those requests that is used to set the language and location of the client, ordinary users with "create session" privileges can run commands as SYS, the highest-level Oracle account, Imperva said.
The flaw could allow any user to elevate the level of permissions, or take other actions, Kramer said.
"This is a vulnerability that can be exploited by someone who is not an expert. Someone who doesnt know how to program, just by changing one statement," he said.
Users can manipulate a standard file that is part of the Oracle client software so that a command of the users choosing is issued when the user logs on. A malicious user could choose to elevate his user account to the level of database administrator or make changes to the database configuration, said Alex Kornbrust, of Red Database-Security, in Neunkirchen, Germany.
"Its a kind of democracy. There are no longer any DBAs [database administrators]. On nearly every [Oracle] database out there, a user can become a DBA," he said.
Kornbrust shared details of the exploit with eWEEK but asked that the information not be made public because of security concerns.
Oracle learned of the hole from Imperva and patched it within three months as part of the scheduled CPU (Critical Patch Update) in January. Thats a remarkable feat for a company that often takes a year or more to issue fixes, said Kornbrust.
The company has also sent e-mail messages to customers that call attention to DB18 and advise them to fix it as soon as possible, said Arthur Merar, an Oracle database administrator at Great Lakes Naval Base in Chicago.
Merar said he will apply that patch and others across more than 65 production systems within the next week, after he and his staff has a chance to test the patches.