Oracle database CREATE_CHANGE_SET the process of SQL injection vulnerabilities and patch-vulnerability warning-the black bar safety net

ID MYHACK58:62201028300
Type myhack58
Reporter 佚名
Modified 2010-11-08T00:00:00


Vulnerability description:

Oracle is a large commercial database system.

Oracle database Change Data Capture components are provided in a DBMS_CDC_PUBLISH PL/SQL package, the package CREATE_CHANGE_SET process in the presence ofSQL injectionvulnerabilities. Malicious users can in a special parameter called loopholes in the process that leads to the SYS user privileges to perform the SQL statement.

The use of this vulnerability requires that a have SYS. DBMS_CDC_PUBLISH package EXECUTE permissions. By default granted the EXECUTE_CATALOG_ROLE role users have this permission.

<reference 2 8 7 0 8 5 4 1 0 2 2 1 6 0&w=2 >

Manufacturers patch:

Oracle \ ------ Oracle has released a security Bulletin cpuoct2010, as well as the corresponding patch: cpuoct2010: Oracle Critical Patch Update Advisory - October 2 0 1 0 Links: