Oracle has released a patch for a recently-discovered
critical security vulnerability affecting its database
servers.
The buffer overflow vulnerability affects all supported versions
of Oracle database servers and could enable a remote attacker to
compromise the data stored in Oracle and gain control over the
machine hosting the database server, according to a
security alert posted by Oracle.
Affected versions include Oracle7 Release 7.3.x, all releases of
Oracle8 and 8i and Release 1 and 2 of the Oracle 9i database.
On Friday (25 April), Oracle provided an interim or "one-off"
patch for two versions of its 9i database and one version of its 8i
database.
A patch for Oracle 8 database version 8.0.6.3 was available for
customers with extended maintenance support, but the company said
it had no plans to provide patches for earlier versions of its
database.
Oracle encouraged customers running affected versions of its
database software for which patches were available to apply the
patch immediately.
The vulnerability exists in code responsible for handling Create
Database Link queries, which enable one Oracle database to query
information stored in another database, according to security
company Next Generation Security Software, which discovered the
vulnerability.
Attackers can create an extra long value for the Oracle database
link, then attempt to use that link, causing the buffer overflow.
The buffer overflow can cause a denial of service to the Oracle
database and, possibly, enable attackers to execute their own
attack code on the database machine, NGS Software said.
The Create Database Link privilege is enabled by default for the
Connect role, which is a standard role assigned to almost every
active Oracle account, enabling users to connect to databases. The
privilege is enabled regardless of whether additional Oracle
database servers exist on a network, according to NGSSoftware.
Organisations that are unable to apply the patch can protect
themselves by removing the Create Database Link privilege from the
Connect role. However, users should check that such a move does not
affect applications that use the Oracle database, David Litchfield,
managing director of NGSSoftware, said.
In its alert, Oracle said the vulnerability was unlikely to be
exploited remotely, except in cases where the Oracle database was
connected directly to the internet, without the protection of a
firewall or application server.
However, the widespread availability of the Create Database Link
privilege means the vulnerability could provide an avenue of attack
for an insider with low-level access to an Oracle database,
enabling the insider to abscond with more sensitive information,
said Litchfield.
The widespread use of Oracle's product to store critical
information that could be the target of corporate espionage or
identity theft schemes makes the database link vulnerability
particularly serious, Litchfield said.
Still, the vulnerability is not easy to exploit. Attackers would
need to have an advanced knowledge of the Oracle database and be
able to code low-level exploits using Assembly Language to take
advantage of the flaw, Litchfield said.
However, once one exploit has been created, it could easily be
distributed to other attackers on the internet who could then use
it to carry out attacks without any knowledge of either Oracle or
advanced coding techniques, he said.