Examining the Oracle October 2005 Critical Patch Update in depth,
NGSResearchers discovered a number of problems which have all since been
reported to Oracle. As well as new vulnerabilities and problems with the
patches for old vulnerabilities, the October 2005 CPU fails to install the
patched Oracle Text (CTXSYS) components on Oracle 8.1.7.4 on all operating
systems. This is due to a problem with the install sql script: rather than
executing
SELECT DBMS_REGISTRY.SCRIPT('CONTEXT','@ctxcpu.sql')....
the install script executes
SELECT DBMS_REGISTRY.SCRIPT('CTX','@ctxcpu.sql')....
So, even if you have Oracle Text installed the patch installer will not
install the updated PL/SQL packages. The fall out from this means that your
servers may still be vulnerable to the Oracle Text flaws; these allow a low
privileged user to gain DBA privileges. Further, if the RDBMS is part of a
web application that uses Oracle Portal (OAS, IAS, Oracle HTTP Server) then
an attacker may exploit this from the Internet without a userID and
password.
To check if you are still vulnerable execute the following query
select owner,package_name,object_name from all_arguments where owner =
'CTXSYS' and package_name = 'DRILOAD' and object_name = 'VALIDATE_STMT';
If no row is returned then you are not vulnerable but if a row is returned
then you are vulnerable. In this case you should manually apply the
ctxcpu.sql script.
NGSSQuirreL for Oracle, the leading vulnerability assessment scanner for
Oracle RDBMSes, checks for these problems as well as the other many issues
that still afflict Oracle. More information about NGSSQuirreL can be found
here - http://www.ngssoftware.com/squirrelora.htm
Cheers,
The NGSResearch Team
