Oracle is a large commercial database system.
Oracle database Change Data Capture components are provided in a DBMS_CDC_PUBLISH PL/SQL package, the package CREATE_CHANGE_SET process in the presence ofSQL injectionvulnerabilities. Malicious users can in a special parameter called loopholes in the process that leads to the SYS user privileges to perform the SQL statement.
The use of this vulnerability requires that a have SYS. DBMS_CDC_PUBLISH package EXECUTE permissions. By default granted the EXECUTE_CATALOG_ROLE role users have this permission.
<reference http://secunia.com/advisories/41815/ http://marc.info/?l=full-disclosure&m=1 2 8 7 0 8 5 4 1 0 2 2 1 6 0&w=2 http://www.us-cert.gov/cas/techalerts/TA10-287A.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html >
Oracle \ ------ Oracle has released a security Bulletin cpuoct2010, as well as the corresponding patch: cpuoct2010: Oracle Critical Patch Update Advisory - October 2 0 1 0 Links: http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html