Today I reported 6 new security vulnerabilities to Oracle (2 Data Vault, 2 Auditing, 1 Discoverer, 1 Password Verification Function). Even if Oracle Security is getting better (see also discussion on Pete’s Blog) there are still enough bugs available.
Portcullis Labs released their free scanner BSQL Hacker for detecting blind sql injection. BSQL Hacker is supporting Oracle, MSSQL and MySQL. At the moment I have no time to play longer with this tool but it looks promising (see video).
Yesterday night I got the following email from Oracle support:
———————————————————————————-
Dear Oracle Customer,
You are receiving this email because our records indicated you downloaded Critical Patch Update July 2008 (CPUJul2008) patch for one or more of the following:
o Oracle Database 10.1.0.5 for the following platforms:
o Windows 32-bit (Patch 7047034)
o Windows 64-bit (Patch 7047037)
Symptom and cause of issue
The 10.1.0.5 Database Windows Bundle Patch #26 did not correctly install the sdotopo.jar file.
Workaround if any
Please follow the following manual steps to install sdotopo.jar.
>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar sdotopo.jar_save
>cd <windows bundle patch location>
>cd files\md\lib
>copy sdotopo.jar %ORACLE_HOME%\md\lib\sdotopo.jar
In the event you need to rollback to the previous sdotopo.jar:
>cd %ORACLE_HOME%\md\lib
>copy sdotopo.jar_save sdotopo.jar
These steps are also documented in MetaLink Note 579285.1 ¿Critical Patch Update July 2008 Database Known Issues
Action
Follow the manual steps noted above to install the sdotopo.jar file..
Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.
Regards,
Oracle Global Product Support
12 days ago the german security researcher Kingcope released an 0day exploit (remote denial of service without credentials, CVSS2 score of 10) for the BEA Weblogic Apache Connector on milworm. Yesterday Oracle published a fix for this vulnerability.
It took only 11 days to provide a fix for this issue which is incredible fast for Oracle.
2 weeks ago Oracle released the instant client 10.2.0.4 for Mac OS Intel. Yesterday I had the time to recompile checkpwd (checkpwd for other platforms) with the new instant client. The compilation worked flawless.
The performance of checkpwd with the native Oracle Mac client is 50% faster than the previous version for PPC.
Here are the links:
And here sidguess recompiled for Mac – Intel:
Few hours ago Bruce Lowenthal sent me an email that Oracle forgot to inform me what was fixed. Hey how can you forget me. I am reporting bugs since several years… 😉 6 of my vulnerabilities are now history (if you apply the April patches or a new patchset like 10.2.0.4).3 of the vulnerabilities are the affecting Oracle Spatial. The packages SDO_UTIL [DB05], SDO_GEOM [DB06] and SDO_IDX [DB07] are vulnerable against SQL Injection. SDO_IDX is also vulnerable in Oracle 11g.
1 vulnerability is a hardcoded default password OUTLN [DB13] for the user OUTLN. In some special cases the Oracle database is resetting the password of the user OUTLN to OUTLN and grants DBA privileges to this user.
The CPU is also fixing 2 PL/SQL injection vulnerabilities from Paul Wright (see Paul’s blog entry). At the moment there is no additional information about vulnerabilities available.
This CPU provides also fixes the the Inline-View and Create-View problem.