Oracle database CREATE_CHANGE_SET the process of SQL injection vulnerabilities and patch-vulnerability warning-the black bar safety net

2010-11-08T00:00:00
ID MYHACK58:62201028300
Type myhack58
Reporter 佚名
Modified 2010-11-08T00:00:00

Description

Vulnerability description:

Oracle is a large commercial database system.

Oracle database Change Data Capture components are provided in a DBMS_CDC_PUBLISH PL/SQL package, the package CREATE_CHANGE_SET process in the presence ofSQL injectionvulnerabilities. Malicious users can in a special parameter called loopholes in the process that leads to the SYS user privileges to perform the SQL statement.

The use of this vulnerability requires that a have SYS. DBMS_CDC_PUBLISH package EXECUTE permissions. By default granted the EXECUTE_CATALOG_ROLE role users have this permission.

<reference http://secunia.com/advisories/41815/ http://marc.info/?l=full-disclosure&m=1 2 8 7 0 8 5 4 1 0 2 2 1 6 0&w=2 http://www.us-cert.gov/cas/techalerts/TA10-287A.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html >

Manufacturers patch:

Oracle \ ------ Oracle has released a security Bulletin cpuoct2010, as well as the corresponding patch: cpuoct2010: Oracle Critical Patch Update Advisory - October 2 0 1 0 Links: http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html