TeamSHATTER Analysis Of The July 2011 Oracle CPU

Sunday, July 31, 2011

Alexander Rothacker

B451da363bb08b9a81ceadbadb5133ef

Another July, another Oracle CPU. With ‘unbreakable’ timeliness, Oracle released their 27th Critical Patch Update recently.

This time around, they shipped 78 security fixes over all their product families. Sixteen of the fixes are specific to the Oracle Database, but a total of 30 fixes have an impact on database confidentiality, integrity or availability.

imageI am very pleased to see that Oracle has refocused their efforts on fixing database issues.

This is something that myself and others have loudly criticized in the last few CPU’s.

image

Now, let’s take a more thorough look at each of the fixes in order of importance:

  • CVE-2011-0835, CVE-2011-0880 and CVE-2011-0838: While these fixes are only rated with a CVSS score of 6.5 using Oracle’s ‘Partial+’ scoring, rescoring these as ‘Complete’ for all impact metrics changes the score to 9.0. It should also be noted that these vulnerabilities only require CREATE SESSION privileges, a privilege assigned to all enabled accounts. These fixes should be addressed immediately – either by applying the patches or implementing compensating controls such as activity monitoring and blocking.
  • CVE-2011-0832: Similar to the previous issues, this issue is using ‘Partial+’ scoring to rank it as a 6.0. By using a ‘Complete’ score, this vulnerability will now rank as a 8.5. This vulnerability is also exploitable with only CREATE SESSION privileges and should be addressed immediately.
  • CVE-2011-2232: Only installations of Oracle that have the XML developer kit installed are susceptible to this vulnerability. TeamSHATTER is again rating this with a CVSS score of 8.5. This vulnerability requires immediate remediation, either by removing the XML dev kit, or applying the CPU.
  • CVE-2011-2239 and CVE-2011-2253: Both of these vulnerabilities allow for a complete takeover of the server, however, they do require elevated privileges, SYSDBA in one case, and CREATE LIBRARY in the other. They also have a igh access complexity. There is no workaround available for this, so any Oracle installation relying on the Oracle Security Service for encryption should apply this CPU immediately.
  • CVE-2011-2232: This vulnerability allows an unauthenticated user to take down the database from a remote location. A simple Denial of Service (DoS) attack. This should be patched soon, but at a lower priority than the previous issues.
  • CVE-2011-2238: This vulnerability allows for changes to the integrity of an Oracle Database Vault installation. For systems critical enough to warrant Database Vault this is a serious issue and should be addressed immediately.

A total of 18 fixes in this CPU are for Oracle Enterprise Manager (OEM) Grid Control, 11 of those are attributed to vulnerabilities reported by TeamSHATTER’s Esteban Martinez Fayo who has been credited in 25 (out of 27) Critical Patch Updates.

The majority of the OEM issues are Cross Site Scripting (XSS) or Cross Site Request Forgery issues, allowing for remote and unauthenticated exploitation. All installations of OEM Grid Control should be patched immediately. Failure to do so puts the security of all managed databases at risk.

There are 3 fixes for Oracle Secure Backup, one with the highest possible CVSS score of 10.0. Backups are an often overlooked security risk, and I can’t stress enough that these installations should be patched ASAP.

In this CPU, Esteban Martinez Fayo has been credited as a Security-In-Depth contributor by Oracle, which Oracle describes as follows:

“People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.”

We appreciate this additional recognition; however, I have to point out that the particular issue that for which Esteban received credit was of an extremely critical nature. I am hoping for a fix to be released in the immediate future.

This brings me to my final point. DatabaseVault, Secure Backup and OEM are all products that are supposed to make Oracle more secure or help to manage it in a secure way.

As long as these products continue to be riddled with vulnerabilities, I remain deeply suspicious of Oracle’s commitment to secure software.

To read the full CPU details: http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

Cross-posted from www.TeamSHATTER.com

Possibly Related Articles:
9109
General
Information Security
Patching Databases Oracle Cross Site Scripting TeamSHATTER Critical Patch Updates
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.