CVE-2 0 1 5-0 3 9 3: Oracle released a serious security vulnerability alerts-a vulnerability alert-the black bar safety net

ID MYHACK58:62201558331
Type myhack58
Reporter 佚名
Modified 2015-01-24T00:00:00


Oracle on Tuesday released this year's first security patches upgrade the CPU for the announcement, the attendant, there are some disturbing vulnerability warning. Maybe this two-day operation and maintenance of the students need to give their company the Oracle products on the newly released 1 6 9 security patches....... Wherein, in the Oracle E-Business Suite has a serious vulnerability, the following will do the appropriate analysis.


Suspected Backdoor: Vulnerability CVE-2 0 1 5-0 3 9 3

Rivers and lakes known as the“Oracle Hunter”David Litchfield in the last 6 months 1 1 day found Oracle a suspected back door of severe Vulnerability, CVE-2 0 1 5-0 3 9 3The.

By Litchfield to we reveal some vulnerability details:

In this vulnerability, the Oracle database to the PUBLIC role on the DUAL table is granted the index privilege, that any user can in the table to create the index.

DUAL table is the SYS user under a single internal table, all users can use the DUAL name of the access, no matter what this table is always present. InDUAL tablescreate a function-based index after hackers temporarily get SYS user privileges SYSDBA, and execute arbitrary SQL statements and then try to control the entire server. If the existence of this vulnerabilityE-Business Suitecan be from outside the network remote access, as long as the attacker has the PUBLIC role does not require the user password, you can follow up follow-up a large wave of vulnerabilities.

[1] [2] [3] next