What Does The April 2011 Oracle CPU Mean For DBAs And Database Security Staff?Team Shatter Exclusive

Posted April 21, 2011 by Alex Rothacker in Data Breach, Database Security, Database Vendor, DoS, Oracle, Team Shatter Exclusive, User Rights with 0 comments

I can’t believe it’s been three months already since Oracle released their last Critical Patch Update (CPU). This week, Oracle released the 26th CPU, with 73 new security fixes across 10 product families. At TeamSHATTER our focus is on the fixes to the Database. The Oracle Database Server Risk Matrix lists 9 fixes that directly or indirectly affect the Database, 3 of those are primarily listed in other product families, but still have an impact on Database confidentiality, integrity or availability. Let’s go through all the fixes and see what they are all about:

  • CVE-2011-0792 and CVE-2011-0799: This vulnerability affects the Oracle Warehouse Builder component. OWH is a default component, pre-installed with Oracle 11gR2 and a non-default optional install for 10gR2 and 11gR1. These vulnerabilities allowed for a full compromise of the database server by a low-privileged user. TeamSHATTER is rating this vulnerability as a CVSS 9.0, in contrast to Oracle which is using their non-standard ‘Partial+’ scoring to achieve a significantly lower rating. This is an extremely high risk vulnerability and should be patched immediately. Alternatively, I would recommend to completely uninstall the component if it is not required.
  • CVE-2009-3555: This is a design error found in multiple products by various vendors, including industry standard libraries like OpenSSL. It allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL. How Oracle is rating the confidentiality impact of this as ‘None’ is quite puzzling to me. There is no workaround available for this, so any Oracle installation relying on the Oracle Security Service for encryption should apply this CPU immediately.
  •  CVE-2011-0787:  This patch fixes multiple SQL Injection vulnerabilities in the Application Service Level Management component of Oracle Enterprise Manager (EM) Grid Control. These SQL Injection vulnerabilities allow any Oracle EM user to execute SQL statements as the SYSMAN database user (a user granted DBA privileges). TeamSHATTER is giving this vulnerability a CVSS score of 6.8. 
  • CVE-2011-0806:  Allows a remote and unauthenticated attacker to take up 100% of the servers CPU, without crashing it. An easy Denial of Service (DoS), but limited to Windows systems, so most installations of Oracle are immune to this attack. TeamSHATTER is giving this vulnerability a CVSS score of 7.8.
  • CVE-2011-0785: Little is publicly known about this vulnerability in the Oracle Help component of Oracle Fusion Middleware, except that it is exploitable remotely without authentication. Any installation with Oracle Fusion Middleware installed should apply this CPU. 
  • CVE-2011-0805: Is a vulnerability in UIX, a set of technologies that constitute a framework for building web applications. If this component is not required, a workaround for this vulnerability is to remove the UIX component from the Oracle installation.
  • CVE-2011-0793: A vulnerability in Database Vault that allows a privileged user to change any users password, even if disallowed by the Database Vault configuration. Any installation using Database Vault to enforce separation of duties, should apply this patch. TeamSHATTER is giving this vulnerability a CVSS score of 5.5. 
  • CVE-2011-0804: Another vulnerability in the Database Vault component that allows for a breach of confidentiality and integrity. Any installation using Database Vault should apply this patch.

Just like in previous Critical Patch Updates, Oracle has been downplaying the severity of the fixed issues by heavily using their proprietary ‘Partial+’ rating for various issues, giving Oracle users a false sense of security. Using the proper definitions of CVSS and appropriately replacing Partial+ with Complete, increases the CVSS score by as much as 2.5, for example from 6.5 to 9.0. Don’t get fooled, do the math yourself to assess your risk and apply this patch ASAP.

Any installation still running older versions of Oracle Database (9i and older versions) are not supported by this CPU anymore and should upgrade their installation immediately. CVE-2009-3555 for example, is affecting old code that was used in Oracle 9i and older versions and will not be fixed anymore by Oracle, leaving those databases open for exploitation through known vulnerabilities.

Similar to the last CPU, Oracle shifted its patch focus away from the Database to its other product lines. Former SUN products are taking the cake with 18 issues fixed, followed by PeopleSoft with 14 patches. As a database security guy, this obviously worries me.  I hope that Oracle does the right thing and works hard on bringing Oracle Database security into the 21st century.

Tags: , , , , , , , , ,
Share|

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website

Spam protection by WP Captcha-Free

Powered by
©2012 TeamSHATTER