Oracle is advising its customers to quickly apply a critical database patch the company issued last week. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.
The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10. The hole is “very severe” and allows users to bypass the Oracle databases authentication and become administrative “super users,” according to Shlomo Kramer, CEO of Imperva, which discovered the hole. However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue.
Oracle Corp. said that it patches security holes in the order of their severity and categorized DB18 as a serious vulnerability with the potential for wide impact in the January Critical Patch Update [CPU], according to an e-mail statement.
Researchers in Impervas Application Defense Center discovered the security hole “a few months ago,” though it has existed for years, Kramer said. “It goes all the way back to Version 8, but it wasnt patched until now.”
The vulnerability allows any user of an Oracle database, including guest account users, to turn themselves into database administrators just by sending a SQL (Structured Query Language) command to the database during log-in, Kramer said.
The security hole is part of the standard user authentication mechanism used by Oracle database clients, according to information published by Imperva.
That authentication consists of two separate client requests and server responses.
By manipulating a variable in one of those requests that is used to set the language and location of the client, ordinary users with “create session” privileges can run commands as SYS, the highest-level Oracle account, Imperva said.
The flaw could allow any user to elevate the level of permissions, or take other actions, Kramer said.
“This is a vulnerability that can be exploited by someone who is not an expert. Someone who doesnt know how to program, just by changing one statement,” he said.
Users can manipulate a standard file that is part of the Oracle client software so that a command of the users choosing is issued when the user logs on. A malicious user could choose to elevate his user account to the level of database administrator or make changes to the database configuration, said Alex Kornbrust, of Red Database-Security, in Neunkirchen, Germany.
“Its a kind of democracy. There are no longer any DBAs [database administrators]. On nearly every [Oracle] database out there, a user can become a DBA,” he said.
Kornbrust shared details of the exploit with eWEEK but asked that the information not be made public because of security concerns.
Oracle learned of the hole from Imperva and patched it within three months as part of the scheduled CPU (Critical Patch Update) in January. Thats a remarkable feat for a company that often takes a year or more to issue fixes, said Kornbrust.
The company has also sent e-mail messages to customers that call attention to DB18 and advise them to fix it as soon as possible, said Arthur Merar, an Oracle database administrator at Great Lakes Naval Base in Chicago.
Merar said he will apply that patch and others across more than 65 production systems within the next week, after he and his staff has a chance to test the patches.
However, both Kornbrust and Kramer expressed concern that Oracle customers might not appreciate the seriousness of the security hole fixed by the DB18 patch.
“If you look at the fix theyve published, theres not a lot of information at all,” Kramer said. “Its kind of unclear whats going on. Theyre not really giving enough information to customers.”
For example, Oracle does not provide details on the nature of the vulnerability, the risks involved or how the companys patch fixes the problem, Kramer said.
“People are saying that the CPU in January was not that severe, but its really important to apply [DB18],” Kornbrust said.
Details of the Oracle patches can be difficult for less technical staff to interpret, Merar agreed.
“A lot of people arent that technical, and its difficult for them to understand what [the patch fixes],” he said.
Oracle has become the focus of increasing criticism from security experts for faulty patches and what some consider sluggish response to reports of security holes in its products.
On Monday, Gartner issued a research note saying that the most recent CPU, which patched 82 software holes across the companys product lines, shows that Oracle “can no longer be considered a bastion of security.”
Oracle has defended the security of its code and its internal processes for spotting security holes. The company cites its long tradition of secure development, its recent changes, like the introduction of automated static code analysis tools, and the shift to quarterly patches as evidence that it takes security seriously.
Editors Note: This story was updated to include more information about how the exploit works and comment from Oracle on the severity of the vulnerability.