Oracle Corp.s patch fix comes almost a month to the day after David Litchfield, managing director at United Kingdom-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention.
The April "Critical Patch Update" (available here as a PDF) addressed 70 security flaws in Oracle database and application server products, but during routine testing, Litchfield discovered that the patch was sending scripts to the wrong directory and that the source of the actual flaw was not addressed.
"Whilst analyzing the April update, I noticed some failures in it, which meant certain issues the patch was supposed to fix were actually left unfixed," Litchfield said in an interview with Ziff Davis Internet News.
"I was looking at the patch and testing it against the vulnerability, and, after properly applying it on a test server, I noticed that the vulnerability still existed. One of the Java classes wasnt loading properly," Litchfield said.
Digging deeper, Litchfield said he found that the actual source of the problem lies within the underlying Java class files. "The April [patch update] fails to properly load the newer patched classes, which means that these problems can still be exploited," he added, warning that all platforms are affected by the incomplete patch.
On Windows, both 32 bit and 64 bit, Litchfield detected a second problem that could be exploited to allow a guest user with low privileges to gain full administrative rights to the database. "Once you elevate those privileges, you can do anything you want with that database," Litchfield added.
Litchfield, who is well regarded for his research work on security in database products, said the privilege-escalation flaw could allow an attacker to run arbitrary SQL by abusing the "CTXSYS.DRILOAD" package to gain DBA privileges.
"This was discovered by multiple persons and was initially fixed in August 2004. However, the April Critical Patch Update copies the updated SQL script file to the wrong directory, and if previous patches [August 2004 or January 2005] have not applied then you will still be vulnerable to this attack even if the April CPU has been applied," he explained in a public advisory.
Litchfield said he reported the problems to Oracle in early June and confirmed that the company has made the necessary corrections. Oracle customers can find updated information on the MetaLink paid customer support portal.
"They [Oracle] have sent out e-mail notices to everyone who downloaded those patches. There is updated documentation on Metalink that explains what steps were needed to fix the issues properly."
"Oracle customers should know that if they dont take these extra steps, they are still vulnerable to a very serious vulnerability," Litchfield added.
Efforts by Ziff Davis Internet News to contact Oracle were not successful.
Oracle has been heavily criticized in the past for a lack of haste in addressing critical security flaws. The issue came to a head at the BlackHat briefings in Las Vegas last summer when Litchfield released details on more than two dozen security holes in Oracle products that had not been fixed.
At the time, Oracle confirmed that it was aware of the vulnerabilities—some of them critical—for several months.
The public relations fallout from that incident prompted Oracle to shift to a quarterly patch cycle, in which four "Critical Patch Updates" will be posted every year.
Oracles next batch of patches is due next July 12, the same day that Microsoft Corp. is scheduled to ship three security bulletins.