Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

Oracle Corporation Information for VU#932124

Date Notified:2006-05-02
Date Updated:
Status Summary:Vulnerable

Vendor Statement

There have been several public disclosures of vulnerabilities in the dbms_export_extension package. All of them, save one, are fixed in previous Critical Patch Updates. The most recent disclosure was irresponsibly published by a hacker as a "0day", meaning that there were no patches yet prepared for the issue. We have fixed this latest issue in our main code line, and are working on backports for all affected product versions and platforms. When these are completed, and all customers can obtain a patch for the vulnerability, we will release the patch in a Critical Patch Update.

Currently, there is no workaround that will not potentially affect product functionality. The dbms_export_extension package may be revoked from public, but we would caution that this configuration should be fully tested by customers before implementing in production.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There may be multiple ways to access the DBMS_EXPORT_EXECUTE package. When testing for access to this package consider configurations such as user accounts and roles, besides PUBLIC, that have access to DBMS_EXPORT_EXECUTE and PL/SQL code that may call the DBMS_EXPORT_EXECUTE package with user influenced input.

Note that these are just two examples of configurations that may allow access to the DBMS_EXPORT_EXECUTE package, other access paths may exist.

Oracle has addressed this problem in the Oracle Critical Patch Update for July 2006: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information