#ORACLE 10G VULNERABILITIES UPDATE#
Oracle’s latest critical patch update fixes the problem. “In particular, the attacker can create a new database account and create DBA privileges the new account.” According to Imperva, however, “it turns out that this value can contain any SQL statement,” which would then get executed with SYS-level privileges, skirting normal access control restrictions. In particular, one variable (‘AUTH_ALTER_SESSION’) telegraphs locale and language preferences.
#ORACLE 10G VULNERABILITIES PASSWORD#
The flaw stems from the fact that in the second of two different client and server requests during which a username and (obfuscated) password are communicated, various client attributes are also sent. Yet “during the login process an Oracle user with no more than ‘create session’ privileges can execute commands in the context of the special database user ‘SYS.’ This grants any user the highest administrative privileges possible.” How does the flaw manifest? As Imperva notes, Oracle database security hinges on a user authenticating with a username and password. Imperva says it discovered the flaw and notified Oracle in October 2005. Moreover, any activity performed by the user while exploiting this flaw is not recorded by the database server’s built-in auditing mechanisms,” security vendor Imperva notes in a statement. “By exploiting the flaw, any database user with minimal privileges can assume the role of database administrator.
Meanwhile a new report finds online attacks are hitting the bottom line.Ī newly disclosed vulnerability in Oracle’s 8i, 9i, and 10g database servers could allow basic users to gain unrestricted database access. Last week, Oracle released a critical patch update for a SQL attack vulnerability that could give local attackers administrator-level privileges, and Apple patched Windows and Apple OS versions of QuickTime.
0 kommentar(er)
