lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47A0B90D.1030209@petefinnigan.com>
Date: Wed, 30 Jan 2008 17:51:09 +0000
From: Pete Finnigan <pete@...efinnigan.com>
To: bugtraq@...urityfocus.com
Subject: PeteFinnigan.com Limited advisory for Oracle January 2008 CPU


      Advisory for Oracle CPU January 2008 - Ultra Search excessive
      privileges


See http://www.petefinnigan.com/Advisory_CPU_Jan_2008.htm for details.


      Description

Oracle Ultra-Search uses database and Oracle text functionallity to 
provide a uniform search function that is fully integrated with the SQL 
language and where it allows full text search capabilities within the 
database. For more details see Introduction to Oracle Ultra Search 
<http://support.cs.nott.ac.uk/help/docs/databases/oracle/standard/ultra.101/b10731/over.htm>. 
The issue located by PeteFinnigan.com Limited relates to excessive 
privileges assigned to the WKSYS database schema/user account.


      Risk

If the WKSYS schema exists then the risk is still present without 
application of the patch. The CVSS score is 3.0 which is low but the 
risk increases if the schema is accessible due to a weak password or an 
additional attack vector that allows code to run as WKSYS. Access to the 
schema, either directly or indirectly are required to expliot this issue.


      Workaround

If the Oracle Ultra-Search functionallity is not required either 
directly or indirectly then ensure that this component is not installed. 
This can be verified by checking if the WKSYS schema is present in the 
database.


      Versions affected

The following Oracle database versions are affected

    * Database
          o 9.2.0.8 and lower
          o 10.1.0.5 and lower
          o 10.2.0.3 and lower
    * Application Server
          o 9.0.4.3 and lower
          o 10.1.2.2 and lower
    * Collaboration Suite
          o 10.1.2 and lower


      Patch Information

PeteFinnigan.com Limited advises customers to apply the January 2008 CPU 
patch as soon as is practical. See Oracle's advisory 
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html> 
for details of the patch availability matrix.


      Credit

Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.

cheers

Pete

-- 

Pete Finnigan
Principal Consultant
PeteFinnigan.com Limited

Specialists in database security

Phone: 0044 (0)1904 791188
Fax  : 0044 (0)1904 791188
Mob  : 0044 (0)7742 114223
email: pete@...efinnigan.com
site : http://www.petefinnigan.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ