The October 2011 CPU contains 5 security fixes for the Oracle Database Server. Four out of the five vulnerabilities were reported by Application Security, Inc.’s TeamSHATTER researchers, Esteban Martinez Fayo and Martin Rakhmanov. In addition for the second quarter in a row, Esteban Martinez Fayo was also recognized as a Security-in-Depth contributor for Oracle. Individuals are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases
In this CPU, there are 5 fixes for the Oracle Database Server- the lowest number of vulnerabilities patched since the CPU process started in 2005. TeamSHATTER currently has several vulnerabilities waiting to be patched with Oracle. This low number of database patches continues a trend where Oracle appears to be losing focus on database security improvements, probably due to the many new products offerings and acquisitions.
Three of the five vulnerabilities are scored using Oracle’s Partial+ methodology – if these are recalculated as complete, the severity of these patches dramatically increases.
Oracle Database Server Vulnerabilities In order of importance/severity:
- CVE-2011-3525: This vulnerability allows any APEX developer user to fully compromise the hosting server. TeamSHATTER suggests this vulnerability should have a CVSS 2.0 score of 9.0. Anyone running Application Express should apply this patch immediately. While this vulnerability has a high CVSS 2.0 score, Application Express is only used a small subset of database installations.
- CVE-2011-3512: This is the most severe vulnerability in the patch installment for all Oracle DBMS users, it does not require any optional packages and there is no workaround. This SQL injection vulnerability allows for complete database compromise of the database. TeamSHATTER ranks this vulnerability as a CVSS 8.5 opposed to Oracle’s 5.5 ranking. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.
- CVE-2011-2301: This vulnerability allows any user that can execute the vulnerable component to completely compromise an Oracle Database. By default users with EXECUTE ANY PROCEDURE privileges and the CTXSYS default user have the privileges to exploit this vulnerability. TeamSHATTER ranks this vulnerability as a CVSS 8.5. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.
*Note: In rev.3 of its Critical Patch Update Advisory, Oracle updated the description for this vulnerability to Network exploitable with Complete (Windows) and Partial+(Linux and other OSs) impact on Accessibility, Integrity and Confidentiality.
- CVE-2011-3511: This vulnerability allows any user granted DB_ACTMGR (Account Manager users) to bypass Database Vault protections and change the password of the Database Vault owner, making it possible to completely compromise Database Vault protections. This only applies to customers using Database Vault.
- CVE-2011-2322: This is another vulnerability that allows changing the password of the Database Vault owner. It does however require SYSDBA privileges. This vulnerability was partially fixed in the April 2011 CPU. This only applies to customers using Database Vault.
Two of the vulnerabilities fixed in this CPU affect Oracle Database Vault. Remember, Database Vault is supposed to be a security add-on to the Oracle Database. However it continues to be riddled with vulnerabilities. As long as these security products continue to have vulnerabilities each quarter, I remain suspicious of Oracle’s commitment to secure software.
To read the full Oracle Critical Patch Update Advisory: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html