Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team SHATTER Security Advisory
SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
August 4, 2008
Risk Level:
Medium
Affected versions:
Oracle Database Server versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1
Remote exploitable:
Yes (Authentication to Database Server is needed)
Credits:
This vulnerability was discovered and researched by Esteban Martínez
Fayó of Application Security Inc.
Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL
Injection in the DELETE_TRAN procedure. A malicious user can call the
vulnerable procedure of this package with specially crafted parameters
and execute SQL statements with the elevated privileges of SYS user.
Impact:
Any Oracle database user with EXECUTE privilege on the package
SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users
granted DBA have the required privilege. Exploitation of this
vulnerability allows an attacker to execute SQL commands with SYS
privileges.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Restrict access to the SYS.DBMS_DEFER_SYS package.
Fix:
Apply Oracle Critical Patch Update July 2008 available at Oracle Metalink.
Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592
Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 7/15/2008
Public Disclosure - 7/23/2008
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAkiXMToACgkQ9EOAcmTuFN3LGQCeK6pvkshjrIqiw8rdmE8tWIdK
O9sAnjeSiwasj2U7SpoPhQVvYKyYvUMI
=X2Bp
-----END PGP SIGNATURE-----