Analysis of the October 2011 Oracle CPU Database Patches

Wednesday, October 19, 2011

Alexander Rothacker

B451da363bb08b9a81ceadbadb5133ef

Oracle just released its October 2011 Critical Patch Update with 57 vulnerabilities across multiple Oracle products.

The October 2011 CPU contains 5 security fixes for the Oracle Database Server. Four out of the five vulnerabilities were reported by Application Security, Inc.’s TeamSHATTER researchers, Esteban Martinez Fayo and Martin Rakhmanov.

In addition for the second quarter in a row, Esteban Martinez Fayo was also recognized as a Security-in-Depth contributor for Oracle.

Individuals are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases

In this CPU, there are 5 fixes for the Oracle Database Server- the lowest number of vulnerabilities patched since the CPU process started in 2005. TeamSHATTER currently has several vulnerabilities waiting to be patched with Oracle.

This low number of database patches continues a trend where Oracle appears to be losing focus on database security improvements, probably due to the many new products offerings and acquisitions.

image

Three of the five vulnerabilities are scored using Oracle’s Partial+ methodology – if these are recalculated as complete, the severity of these patches dramatically increases.

Oracle Database Server Vulnerabilities In order of importance/severity:

  • CVE-2011-3525: This vulnerability allows any APEX developer user to fully compromise the hosting server. TeamSHATTER suggests this vulnerability should have a CVSS 2.0 score of 9.0. Anyone running Application Express should apply this patch immediately. While this vulnerability has a high CVSS 2.0 score, Application Express is only used a small subset of database installations.
  • CVE-2011-3512: This is the most severe vulnerability in the patch installment for all Oracle DBMS users, it does not require any optional packages and there is no workaround. This SQL injection vulnerability allows for complete database compromise of the database. TeamSHATTER ranks this vulnerability as a CVSS 8.5 opposed to Oracle’s 5.5 ranking. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.
  • CVE-2011-2301: This vulnerability allows any user that can execute the vulnerable component to completely compromise an Oracle Database. By default users with EXECUTE ANY PROCEDURE privileges and the CTXSYS default user have the privileges to exploit this vulnerability. TeamSHATTER ranks this vulnerability as a CVSS 8.5. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.
  • CVE-2011-3511: This vulnerability allows any user granted DB_ACTMGR (Account Manager users) to bypass Database Vault protections and change the password of the Database Vault owner, making it possible to completely compromise Database Vault protections. This only applies to customers using Database Vault.
  • CVE-2011-2322: This is another vulnerability that allows changing the password of the Database Vault owner. It does however require SYSDBA privileges. This vulnerability was partially fixed in the April 2011 CPU. This only applies to customers using Database Vault.

Two of the vulnerabilities fixed in this CPU affect Oracle Database Vault. Remember, Database Vault is supposed to be a security add-on to the Oracle Database.

However it continues to be riddled with vulnerabilities. As long as these security products continue to have vulnerabilities each quarter, I remain suspicious of Oracle’s commitment to secure software.

UPDATE 10/25/11:  CVE-2011-2301: This vulnerability allows any user that can execute the vulnerable component to completely compromise an Oracle Database. By default users with EXECUTE ANY PROCEDURE privileges and the CTXSYS default user have the privileges to exploit this vulnerability. TeamSHATTER ranks this vulnerability as a CVSS 8.5. This patch should be applied immediately or if not possible, compensating controls such as database activity monitoring should be utilized.

*Note: In rev.3 of its Critical Patch Update Advisory, Oracle updated the description for this vulnerability to Network exploitable with Complete (Windows) and Partial+(Linux and other OSs) impact on Accessibility, Integrity and Confidentiality

Cross-posted from TeamSHATTER.com

Possibly Related Articles:
14730
General
Software
Databases Oracle Vulnerabilities TeamSHATTER CVSS Database Activity Monitoring Critical Patch Updates
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.