Alexander Kornbrust Oracle Security Blog

Yesterday night I got the following email from Oracle support:

———————————————————————————-

Dear Oracle Customer,

You are receiving this email because our records indicated you downloaded Critical Patch Update July 2008 (CPUJul2008) patch for one or more of the following:

o    Oracle Database 10.1.0.5 for the following platforms:
o    Windows 32-bit (Patch 7047034)
o    Windows 64-bit (Patch 7047037)

Symptom and cause of issue
The 10.1.0.5 Database Windows Bundle Patch #26 did not correctly install the sdotopo.jar file.

Workaround if any
Please follow the following manual steps to install sdotopo.jar.

>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar sdotopo.jar_save
>cd <windows bundle patch location>
>cd files\md\lib
>copy sdotopo.jar %ORACLE_HOME%\md\lib\sdotopo.jar

In the event  you need to rollback to the previous sdotopo.jar:

>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar_save sdotopo.jar

These steps are also documented in MetaLink Note 579285.1  ¿Critical Patch Update July 2008 Database Known Issues

Action
Follow the manual steps noted above to install the sdotopo.jar file..

Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.

Regards,
Oracle Global Product Support

Few hours ago Bruce Lowenthal sent me an email that Oracle forgot to inform me what was fixed. Hey how can you forget me. I am reporting bugs since several years… 😉 6 of my vulnerabilities are now history (if you apply the April patches or a new patchset like 10.2.0.4).3 of the vulnerabilities are the affecting Oracle Spatial. The packages SDO_UTIL [DB05], SDO_GEOM [DB06]  and SDO_IDX [DB07] are vulnerable against SQL Injection. SDO_IDX is also vulnerable in Oracle 11g.

1 vulnerability is a hardcoded default password OUTLN [DB13] for the user OUTLN. In some special cases the Oracle database is resetting the password of the user OUTLN to OUTLN and grants DBA privileges to this user.

The CPU is also fixing 2 PL/SQL injection vulnerabilities from Paul Wright (see Paul’s blog entry). At the moment there is no additional information about vulnerabilities available.

This CPU provides also fixes the the Inline-View and Create-View problem.

Few minutes ago Oracle was releasing the latest Oracle CPU for April 2008 fixing 41 new vulnerabilities (15 in the database). 1 of the database vulnerabilities DB08 can be exploited remotely. APEX contains a SQL Injection vulnerability APEX01 and 1 remote exploitable vulnerability APEX02.

This time Oracle secalert forgot to inform the researchers (usual suspects: Cesar, Esteban, Stephen, Joxean… plus a few others) so we a not aware what vulnerabilities were fixed. Oracle normally informs the researchers in advance what vulnerabilities will be fixed in the upcoming CPU. The most critical issue (CVSS rating 6.6) is an issue in the Oracle Enterprise Manager. DB02-DB07 are SQL Injection vulnerabilities (5.5 is the typical CVSS value for that issue).

Oracle probably fixed the following of our vulnerabilities (we reported bugs in these packages):
* SQL Injection in SDO_GEOM (Tracking ID: 10051851)
* SQL Injection in SDO_UTIL (Tracking ID: 10051595)
* SQL Injection in SDO_IDX (Tracking ID: 10051649)

We will post more information soon…