|
SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
July 29, 2008
Risk Level:
Medium
Affected versions:
Oracle Database Server
versions 9iR1, 9iR2, 10gR1, 10gR2 and 11gR1
Remote exploitable:
Yes (Authentication to
Database Server is
needed)
Credits:
This vulnerability was
discovered and
researched by Esteban
Martínez Fayó of Application
Security Inc.
Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection
in the DELETE_TRAN procedure. A malicious user can call the
vulnerable procedure
of this package with specially crafted parameters and execute SQL statements with
the elevated privileges of SYS user.
Impact:
Any Oracle database user
with EXECUTE privilege
on the package SYS.DBMS_DEFER_SYS
can exploit this
vulnerability. By default, users granted DBA have the
required privilege.
Exploitation of this
vulnerability allows an
attacker to execute SQL
commands with SYS privileges.
Vendor Status:
Vendor was contacted and
a patch was released.
Workaround:
Restrict access to the SYS.DBMS_DEFER_SYS
package.
Fix:
Apply Oracle Critical
Patch Update July 2008
available at Oracle
Metalink.
Links:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2592
Timeline:
Vendor Notification - 9/24/2007
Vendor Response - 9/28/2007
Fix - 7/15/2008
Public Disclosure - 7/23/2008
|
