April 18, 2012

Oracle released its latest vulnerability list.  What this release highlights is the fact that Oracle should provide work-around instructions rather than dogmatically stick to immediate patching as the single alternative. 

This one has 88 patches.  Only four issues are in the Oracle database server whereas six are in MySQL database server.   Key observations regarding the four database vulnerabilities, two are interesting:

  • One vulnerability is severe, ranking 9 on a 10 scale.  What is significant about this issue?  It is the most severe even though exploiting it requires authentication.  In this case, the vulnerability is in a component that is installed by default and  known to have been vulnerable in the past on more than a few occasions.  What does this component do?  It allows users to do geometric searches.  However, geometric search is not used very widely.  Since the geometric search isn’t used very much, so Oracle should recommend, for example, removing the package altogether so only those who need it are exposed to it.
  • The second vulnerability is a 7.1 on a 10 scale since it’s a complex exploit—but this seems low.  Why?  This vulnerability requires two procedures:  create library and create procedure.  What is of most interest here it the create library capability which maps the OS module to the database—an inherently dangerous process because you could map any OS native code to be mapped as stored procedures accessible through a DB SQL session.  We suspect that the vulnerability allows server takeover using uncontrolled mapping, and that the patch reduces the ability to map arbitrary modules.  Regardless, a better method would be to simply not allow anyone but an administrator to perform this process. 

 

 


Authors:

Share:
Share on LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.