Hole Threatens Oracle Databases

Customers are urged to apply db18 critical patch immediately.

Oracle is advising its customers to quickly apply a critical database patch the company issued Jan. 17. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.

The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle8i, Oracle9i and Database 10g. The hole is "very severe" and allows users to bypass the Oracle databases authentication and become administrative "superusers," according to Shlomo Kramer, co-founder, president and CEO of Imperva, which discovered the hole. However, Kramer and others say that Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue.

Oracle did not respond to requests for comment.

Imperva researchers in the companys Application Defense Center discovered the security hole "a few months ago," though it has existed for years, said Kramer in Foster City, Calif. "It goes all the way back to Version 8, but it wasnt patched until now."

The vulnerability allows any user of an Oracle database, including guest account users, to turn themselves into database administrators just by sending a SQL command to the database during log-in, Kramer said.

Users can manipulate a standard file that is part of the Oracle client software so that a command of the users choosing is issued when the user logs in. A malicious user could choose to elevate his or her user account to the level of database administrator or make changes to the database configuration, said Alex Kornbrust, founder and business director of Red-Database-Security, in Neunkirchen, Germany.

"Its a kind of democracy. There are no longer any DBAs [database administrators]. On nearly every [Oracle] database out there, a user can become a DBA," Kornbrust said.

Kornbrust shared details of the exploit with eWEEK but asked that the information not be made public because of security concerns.

After learning of the hole from Imperva, Oracle patched it within three months as part of the scheduled CPU (Critical Patch Update ) in January. Thats a remarkable feat for a company that often takes a year or more to issue fixes, said Kornbrust.

The company also has sent e-mail messages to customers that call attention to DB18 and advise them to fix the hole as soon as possible, said Arthur Merar, an Oracle database administrator at Great Lakes Naval Base, in Chicago.

Merar said he would be applying that patch and others across more than 65 production systems within the next week, after he and his staff had a chance to test the fixes.

However, both Kornbrust and Kramer expressed concern that Oracle customers might not appreciate the seriousness of the security hole fixed by the DB18 patch.

"If you look at the fix theyve published, theres not a lot of information at all," Kramer said. "Its kind of unclear whats going on. Theyre not really giving enough information to customers."

Oracle has become the focus of increasing criticism from security experts for faulty patches and what some consider sluggish response to reports of security holes in its products.

On Jan. 23, Gartner issued a research note saying that the most recent CPU, which patched 82 software holes across the companys product lines, shows that Oracle "can no longer be considered a bastion of security."

Oracle has defended the security of its code and its internal processes for spotting security holes. The company cites its long tradition of secure development and recent changes, such as the introduction of automated static code analysis tools and the shift to quarterly patches, as evidence that it takes security seriously.

Hole lotta love

Details on DB18, one of 29 database patches issued in Oracles latest CPU

* Platform Affects Oracle8i, Oracle9i and Database 10g

* History Discovered by researchers in Impervas Application Defense Center in October; reported to Oracle; patched in Jan. 17 CPU

* Impact Extremely critical; Oracle users with "create session" privileges (including guest accounts) can execute commands for Oracle as "SYS" privileges, the highest administrative privileges possible

* How it works Users modify an Oracle client DLL used during log-in to set parameters such as locale and language; by changing the value "AUTH_ALTER_SESSION" to an arbitrary SQL statement, an attacker can execute any command in the database