Major Security Hole Found in Oracle Database

Oracle is advising its customers to quickly apply a critical database patch the company issued last week. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.

The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10.

The hole is "very severe" and allows users to bypass the Oracle database's authentication and become administrative "super users," according to Shlomo Kramer, CEO of Imperva, which discovered the hole.

However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue.

Oracle Corp. said that it patches security holes in the order of their severity and categorized DB18 as a serious vulnerability with the potential for wide impact in the January Critical Patch Update [CPU], according to an e-mail statement.

Researchers in Imperva's Application Defense Center discovered the security hole "a few months ago," though it has existed for years, Kramer said. "It goes all the way back to Version 8, but it wasn't patched until now."

The vulnerability allows any user of an Oracle database, including guest account users, to turn themselves into database administrators just by sending a SQL (Structured Query Language) command to the database during log-in, Kramer said.

The security hole is part of the standard user authentication mechanism used by Oracle database clients, according to information published by Imperva.

That authentication consists of two separate client requests and server responses.

By manipulating a variable in one of those requests that is used to set the language and location of the client, ordinary users with "create session" privileges can run commands as SYS, the highest-level Oracle account, Imperva said.

The flaw could allow any user to elevate the level of permissions, or take other actions, Kramer said.

"This is a vulnerability that can be exploited by someone who is not an expert. Someone who doesn't know how to program, just by changing one statement," he said.

Users can manipulate a standard file that is part of the Oracle client software so that a command of the user's choosing is issued when the user logs on.

A malicious user could choose to elevate his user account to the level of database administrator or make changes to the database configuration, said Alex Kornbrust, of Red Database-Security, in Neunkirchen, Germany.

"It's a kind of democracy. There are no longer any DBAs [database administrators]. On nearly every [Oracle] database out there, a user can become a DBA," he said.

Kornbrust shared details of the exploit with eWEEK but asked that the information not be made public because of security concerns.

Oracle learned of the hole from Imperva and patched it within three months as part of the scheduled CPU (Critical Patch Update) in January. That's a remarkable feat for a company that often takes a year or more to issue fixes, said Kornbrust.

The company has also sent e-mail messages to customers that call attention to DB18 and advise them to fix it as soon as possible, said Arthur Merar, an Oracle database administrator at Great Lakes Naval Base in Chicago.

Merar said he will apply that patch and others across more than 65 production systems within the next week, after he and his staff has a chance to test the patches.

However, both Kornbrust and Kramer expressed concern that Oracle customers might not appreciate the seriousness of the security hole fixed by the DB18 patch.

"If you look at the fix they've published, there's not a lot of information at all," Kramer said. "It's kind of unclear what's going on. They're not really giving enough information to customers."

For example, Oracle does not provide details on the nature of the vulnerability, the risks involved or how the company's patch fixes the problem, Kramer said.

"People are saying that the CPU in January was not that severe, but it's really important to apply [DB18]," Kornbrust said.

Details of the Oracle patches can be difficult for less technical staff to interpret, Merar agreed.

"A lot of people aren't that technical, and it's difficult for them to understand what [the patch fixes]," he said.

Oracle has become the focus of increasing criticism from security experts for faulty patches and what some consider sluggish response to reports of security holes in its products.

On Monday, Gartner issued a research note saying that the most recent CPU, which patched 82 software holes across the company's product lines, shows that Oracle "can no longer be considered a bastion of security."

Oracle has defended the security of its code and its internal processes for spotting security holes. The company cites its long tradition of secure development, its recent changes, like the introduction of automated static code analysis tools, and the shift to quarterly patches as evidence that it takes security seriously.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's Weblog.

Copyright © 2006 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.