Security Advisory: Oracle DBMS - Critical Patch Update 04/18/06

Abstract

On April 18, 2006, Oracle released a Critical Patch Update that contains fixes for some 36 security vulnerabilities of which 13 are directly related to the company's widely deployed database servers (see: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html). This security advisory discusses the database vulnerabilities and available workarounds.

The Vulnerabilities

Most of the flaws fixed by this CPU are SQL injection and buffer overflow vulnerabilities in supplied stored procedures, with the Oracle Spatial and replication packages leading the vulnerability parade again. Details have been disclosed by researchers for some of the vulnerabilities. Contrary to previous CPU released in January this year, there are no network protocol flaws.

Oracle urges all customers to install the patch as soon as possible. However researchers claim that at least for some Oracle versions the patch does not completely fix the published vulnerabilities. In addition, there are no available patches for the Oracle 10g Express Edition, although it is vulnerable to at least some of the flaws mentioned in the CPU.

Workaround

As a workaround for reducing the risk posed by the published vulnerabilities customers can restrict access to the vulnerable stored procedures and in particular revoke PUBLIC access to them. Additionally some additional privileges (i.e. enable constraints) should be restricted from non-administrative users.

Database administrators and security officers should bare in mind that according to security researchers there are still many more open security issues already reported to Oracle over the past year that are not answered by the current CPU.

SecureSphere customers can rely on the protection provided by their DSG to provide protection against the uncovered vulnerabilities until patches are installed. The Dynamic Profiling technology alerts and blocks any attempt to use command (including stored procedures) that are not part of a user’s normal access profile. In addition, vulnerable stored procedures are detected by SecureSphere’s known vulnerabilities engine.

Disclaimer

The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, adc@imperva.com for permission.