Oracle CPU for April 2009By Adrian Lane
Oracle released the April 2009 Critical Patch Update; a couple serious issues are addressed with the database, and a couple more that concern web application developers.
For the database server, there are two vulnerabilities that can be remotely exploited without user credentials. As is typical, some of information that would help provide enough understanding or insight to devise a workaround is absent, but a couple are serious enough that you really do need to patch, and I will forgo a zombie DBA patching rant here. If you are an Oracle 9.2 user, and there are a lot of you out there still, there is a vulnerability with the resource manager. Basically, any user with create session privileges, and as all users are required to have this in order to connect to the database, it is only going to take one “Scott/Tiger”, default account or brute forced user account to exercise the bug and take control of the resource manager. Very few details are being published, and the CVSS “Base Score” system is misleading at best, but a score of 9 indicates a takeover of the resource manager, which is often used to enforce polices to stop DoS and other security/continuity policies, and possibly leveraged into other serious attacks I am not clever enough to come up with in my sleep deprived state. If this can be implemented by any valid user, it is likely a hacker will locate one and take advantage.
The second serious issue, referenced in CVE-2009-0985, is with the IMP_FULL_DATABASE procedure created by
catexp.sql, which runs automatically when you run
catalog.sql after the database installation. This means you probably have this functionality and role installed, and have a database import tool that runs under admin privileges- which a hacker can use on any schema. Attack scenarios over and above a straight DoS may not be obvious, but this would be pretty handy for surreptitious alteration and insertion, and the hacker would be able to then exercise this imported database. As I have mentioned in previous Oracle CPU posts, these packages tend to be built with the same set of assumptions and coding behaviors, so I would not be surprised if we discover that EMP_DATABASE_FULL and EXECUTE_CATALOG_ROLE have similar exploits, but this is conjecture on my part. This is serious enough that you need to patch ASAP! And if you have not already done so, you’ll want to review separation of user responsibilities across admin roles as well. I know it is a pain in the @$$ for smaller firms, but it avoids cascaded privileges in the event of a breach/hack.
Finally, CVE-2009-1006 for JRockit and CVE-2009-1012 for the WebLogic Server are in response to complete compromises (Base Score 10) to the system, and should be considered emergency patch items if you are using either product/platform. If we get enough information to provide any type of WAF signature I will, but it will be faster and safer to download and patch.
Red Database Security has been covering many of the details on these attacks, and there are some additional comments on the Tech Target site as well.