TeamSHATTER’s Analysis Of The October 2011 Oracle CPUTeam Shatter Exclusive

Posted October 18, 2011 by Alex Rothacker in Database Security, Database Vendor, Oracle, Team Shatter Exclusive with 5 comments

Oracle just released its October 2011 Critical Patch Update with 57 vulnerabilities across multiple Oracle products.

The October 2011 CPU contains 5 security fixes for the Oracle Database Server. Four out of the five vulnerabilities were reported by Application Security, Inc.’s TeamSHATTER researchers, Esteban Martinez Fayo and Martin Rakhmanov. In addition for the second quarter in a row, Esteban Martinez Fayo was also recognized as a Security-in-Depth contributor for Oracle. Individuals are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases

In this CPU, there are 5 fixes for the Oracle Database Server- the lowest number of vulnerabilities patched since the CPU process started in 2005. TeamSHATTER currently has several vulnerabilities waiting to be patched with Oracle. This low number of database patches continues a trend where Oracle appears to be losing focus on database security improvements, probably due to the many new products offerings and acquisitions.

Three of the five vulnerabilities are scored using Oracle’s Partial+ methodology – if these are recalculated as complete, the severity of these patches dramatically increases 

Oracle Database Server Vulnerabilities In order of importance/severity:

  • CVE-2011-3525: This vulnerability allows any APEX developer user to fully compromise the hosting server. TeamSHATTER suggests this vulnerability should have a CVSS 2.0 score of 9.0. Anyone running Application Express should apply this patch immediately. While this vulnerability has a high CVSS 2.0 score, Application Express is only used a small subset of database installations.
  • CVE-2011-3512: This is the most severe vulnerability in the patch installment for all Oracle DBMS users, it does not require any optional packages and there is no workaround. This SQL injection vulnerability allows for complete database compromise of the database. TeamSHATTER ranks this vulnerability as a CVSS 8.5 opposed to Oracle’s 5.5 ranking. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.
  • CVE-2011-2301: This vulnerability allows any user that can execute the vulnerable component to completely compromise an Oracle Database.  By default users with EXECUTE ANY PROCEDURE privileges and the CTXSYS default user have the privileges to exploit this vulnerability. TeamSHATTER ranks this vulnerability as a CVSS 8.5. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.
    *Note: In rev.3 of its Critical Patch Update Advisory, Oracle updated the description for this vulnerability to Network exploitable with Complete (Windows) and Partial+(Linux and other OSs) impact on Accessibility, Integrity and Confidentiality.
  • CVE-2011-3511:   This vulnerability allows any user granted DB_ACTMGR (Account Manager users) to bypass Database Vault protections and change the password of the Database Vault owner, making it possible to completely compromise Database Vault protections. This only applies to customers using Database Vault.
  • CVE-2011-2322: This is another vulnerability that allows changing the password of the Database Vault owner. It does however require SYSDBA privileges. This vulnerability was partially fixed in the April 2011 CPU. This only applies to customers using Database Vault.

Two of the vulnerabilities fixed in this CPU affect Oracle Database Vault. Remember, Database Vault is supposed to be a security add-on to the Oracle Database. However it continues to be riddled with vulnerabilities. As long as these security products continue to have vulnerabilities each quarter, I remain suspicious of Oracle’s commitment to secure software.

To read the full Oracle Critical Patch Update Advisory: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

Comments

  1. Giridhar
    posted on 19 October 2011

    Thanks for explanation about CPUs every quarter.
    Why Oracle is listing Apex in Database Category?

  2. posted on 19 October 2011

    My guess is, because they consider it an optional database component. In the past they have also included fixes to Oracle Enterprise Manager in the Database Category.

  3. Guy
    posted on 15 November 2011

    Does anyone know if Oracle Spatial need to be installed for CVE CVE-2011-3512 to be exploited ? I am reading that all that is required is a user with CREATE TABLE and CREATE PROCEDURE but that the exploit is done through DROP SPATIAL INDEXES.

    Thanks.
    Guy

  4. posted on 15 November 2011

    Guy,

    you are correct, this is exploited through DROP SPATIAL INDEX. The vulnerability is in the spatial data types. A minimal installation of Oracle Database does not have these data types installed, a default install does.
    Not only Oracle Spatial installs these types, Multimedia for example is installing them, too.

    You can test if you have spatial datatypes installed, by creating a table with a spatial column. For example if the following succeeds and the Oct 11 CPU is not applied, then the system is vulnerable:
    CREATE TABLE myTbl(col1 MDSYS.SDO_GEOMETRY)

  5. Guy
    posted on 15 November 2011

    Hi Alex,

    thanks very much for taking the time to answer my question and for your clear explanation. I have been looking for this information for a few days without success.

    I will definitely use the CREATE TABLE you provided to check if our databases are vulnerable.

    Thanks again!
    Guy

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Please note: JavaScript is required to post comments.

Powered by