Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PeteFinnigan.com Limited advisory for Oracle January 2008 CPU

from [Pete Finnigan] Network Security [Permanent Link]
Subject: PeteFinnigan.com Limited advisory for Oracle January 2008 CPU
Date: Wed, 30 Jan 2008 17:51:09 +0000 

     Advisory for Oracle CPU January 2008 - Ultra Search excessive
     privileges


See http://www.petefinnigan.com/Advisory_CPU_Jan_2008.htm for details.


     Description

Oracle Ultra-Search uses database and Oracle text functionallity to provide a uniform search function that is fully integrated with the SQL language and where it allows full text search capabilities within the database. For more details see Introduction to Oracle Ultra Search <http://support.cs.nott.ac.uk/help/docs/databases/oracle/standard/ultra.101/b10731/over.htm>. The issue located by PeteFinnigan.com Limited relates to excessive privileges assigned to the WKSYS database schema/user account.


     Risk

If the WKSYS schema exists then the risk is still present without application of the patch. The CVSS score is 3.0 which is low but the risk increases if the schema is accessible due to a weak password or an additional attack vector that allows code to run as WKSYS. Access to the schema, either directly or indirectly are required to expliot this issue.


     Workaround

If the Oracle Ultra-Search functionallity is not required either directly or indirectly then ensure that this component is not installed. This can be verified by checking if the WKSYS schema is present in the database.


     Versions affected

The following Oracle database versions are affected

   * Database
         o 9.2.0.8 and lower
         o 10.1.0.5 and lower
         o 10.2.0.3 and lower
   * Application Server
         o 9.0.4.3 and lower
         o 10.1.2.2 and lower
   * Collaboration Suite
         o 10.1.2 and lower


     Patch Information

PeteFinnigan.com Limited advises customers to apply the January 2008 CPU patch as soon as is practical. See Oracle's advisory <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html> for details of the patch availability matrix.


     Credit

Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.

cheers

Pete

--

Pete Finnigan
Principal Consultant
PeteFinnigan.com Limited

Specialists in database security

Phone: 0044 (0)1904 791188
Fax  : 0044 (0)1904 791188
Mob  : 0044 (0)7742 114223
email: pete@petefinnigan.com
site : http://www.petefinnigan.com


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PeteFinnigan.com Limited advisory for Oracle January 2008 CPU, Pete Finnigan <=
Previous by Date:  Cisco Security Advisory: Cisco Wireless Control System Tomcat mod_jk.so Vulnerability, Cisco Systems Product Security Incident Response Team
Next by Date:  rPSA-2008-0032-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs, rPath Update Announcements
Previous by Thread:  Cisco Security Advisory: Cisco Wireless Control System Tomcat mod_jk.so Vulnerability, Cisco Systems Product Security Incident Response Team
Next by Thread:  rPSA-2008-0032-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]