Security flaw fixed
Unfortunately, I didn't have enough time to post this note earlier – I was totally booked, and that was much more important than Internet, web forums and blogs...
At October 17th Oracle officially released eighth Critical Patch Update (CPU). This CPU fixes about one hundred Oracle bugs, and its advisory is currently available at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
Among others, it finally suggests a fix to the dire security hole I came across in April:
http://andrewmax.blogspot.com/2006/04/yet-another-security-alert.html
I have applied October CPU and, according to tests I've made, the problem is really resolved – any attempt of unauthorized data modification now fails with ORA-01031 (insufficient privileges) error.
My corresponding Metalink SR got finally closed.
In "Credits" section of CPU advisory, Oracle kindly credited me as well as other persons and organizations for bringing security problems to Oracle’s attention:
I'm very glad to realize that the story is over – having such hole unfixed for a long time is like sitting on a ticking bomb: sooner or later, it goes.
In short - I’d recommend applying October CPU as soon as possible, or else you leave your Oracle database vulnerable, both data integrity and security can be easily compromised.
Andrew.
At October 17th Oracle officially released eighth Critical Patch Update (CPU). This CPU fixes about one hundred Oracle bugs, and its advisory is currently available at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
Among others, it finally suggests a fix to the dire security hole I came across in April:
http://andrewmax.blogspot.com/2006/04/yet-another-security-alert.html
I have applied October CPU and, according to tests I've made, the problem is really resolved – any attempt of unauthorized data modification now fails with ORA-01031 (insufficient privileges) error.
My corresponding Metalink SR got finally closed.
In "Credits" section of CPU advisory, Oracle kindly credited me as well as other persons and organizations for bringing security problems to Oracle’s attention:
The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Johannes Fahrenkrug; Sacha Faust of S.P.I. Dynamics, Inc.; Esteban Martinez Fayo of Application Security, Inc.; Jeff Kayser of Database Doctor, Inc.; Alexander Kornbrust of Red Database Security GmbH; David Litchfield of Next Generation Security Software Ltd.; and Andrew Maksimenko of COMEC-92 (me).
I'm very glad to realize that the story is over – having such hole unfixed for a long time is like sitting on a ticking bomb: sooner or later, it goes.
In short - I’d recommend applying October CPU as soon as possible, or else you leave your Oracle database vulnerable, both data integrity and security can be easily compromised.
Andrew.