Notified:  May 02, 2006 Updated: July 19, 2006

Status

Affected

Vendor Statement

There have been several public disclosures of vulnerabilities in the dbms_export_extension package. All of them, save one, are fixed in previous Critical Patch Updates. The most recent disclosure was irresponsibly published by a hacker as a "0day", meaning that there were no patches yet prepared for the issue. We have fixed this latest issue in our main code line, and are working on backports for all affected product versions and platforms. When these are completed, and all customers can obtain a patch for the vulnerability, we will release the patch in a Critical Patch Update. Currently, there is no workaround that will not potentially affect product functionality. The dbms_export_extension package may be revoked from public, but we would caution that this configuration should be fully tested by customers before implementing in production.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

There may be multiple ways to access the DBMS_EXPORT_EXECUTE package. When testing for access to this package consider configurations such as user accounts and roles, besides PUBLIC, that have access to DBMS_EXPORT_EXECUTE and PL/SQL code that may call the DBMS_EXPORT_EXECUTE package with user influenced input. Note that these are just two examples of configurations that may allow access to the DBMS_EXPORT_EXECUTE package, other access paths may exist. Oracle has addressed this problem in the Oracle Critical Patch Update for July 2006: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html.