INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A knowledgeable, malicious and unauthenticated user can potentially inject a SQL script through a URL in order to gain unauthorized access to user data in Oracle9i Application Server. |
| PLATFORM: | Oracle9i Application Server Portal Release 1, v3.0.9.8.5 (and earlier)
Oracle9i Application Server Portal Release 2, v9.0.2.3.0 (and earlier) |
| DAMAGE: | An unauthenticated user can gain unauthorized access to user data. |
| SOLUTION: | Update to the patch. |
| VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. Unauthenticated users can gain unauthorized access to user data. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/o-017.shtml |
| ORIGINAL BULLETIN: | http://otn.oracle.com/deploy/security/pdf/2003alert61.pdf |
| CVE/CAN: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0659 |
[***** Start Oracle Security Alert #61 *****] Oracle Security Alert #61 Dated: 3 November 2003 Severity: 1 SQL Injection Vulnerability in Oracle9i Application Server Description A potential security vulnerability has been discovered in the Portal component of Oracle9i Application Server, Release 9.0.2. A knowledgeable, malicious and unauthenticated user can potentially inject a SQL script through a URL in order to gain unauthorized access to user data in Oracle9i Application Server. Products Affected • Oracle9i Application Server Portal Release 1, v 3.0.9.8.5 (and earlier) • Oracle9i Application Server Portal Release 2, v 9.0.2.3.0 (and earlier) Portal version 9.0.2.6 and onwards are not vulnerable. Components affected (where applicable to the product version): • List of Values (LOVs) • Portal DB Provider Forms • Portal DB Provider Hierarchy • Portal DB Provider XML component Platforms Affected See Patch Availability Matrix. Required conditions for exploit An unauthenticated user with HTTP access. Note that Portal is installed by default with Oracle9i Application Server. Risk to exposure Risk to exposure is high. A SQL injection attack via the Internet is, in Oracle’s opinion, likely if the required conditions listed above are met. This vulnerability is also susceptible to an insider attack originated on the corporate Intranet. An unauthenticated user can submit unauthorized SQL queries on the Oracle9i Application Server Data Dictionary tables and/or also submit costly (time consuming) queries that may affect the performance of Oracle9i Application Server. How to minimize risk It is not feasible to disable public access from the vulnerable components to mitigate the risk. Oracle strongly recommends that the patches identified in this alert be applied. Follow Oracle’s best practices for database and application server: http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf http://otn.oracle.com/deploy/security/oracle9iAS/ and investigate typical IT deployments of firewalls, etc. Ramification for customer Oracle strongly recommends applying the patch for this potential vulnerability. Oracle recommends that customers review the severity rating for this Alert and patch accordingly. See http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings. Patch Information The patch is platform independent and may be applied across all platforms on which Portal is supported. Fixed by An interim (one-off) patch for this issue is available for the following Oracle 9iAS Portal versions: • Oracle9i Application Server Portal Release 1, v 3.0.9.8.5 • Oracle9i Application Server Portal Release 2, v 9.0.2.3.0 Download the appropriate one-off patch from the Oracle Support Services web site, Metalink (http://metalink.oracle.com). 1. Click on the Patches button. 2. Click on "Simple Search". 3. In the "Search By" option, select 'Patch Number(s)' from the dropdown menu, and enter the patch number from the Patch Availability Matrix in the box. 4. Select the platform. 5. Click on the “Go” button. 6. Click on the “Download” button. 7. Recommended: you should also click on the “View README” button for additional information and instructions. Please review Metalink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. Patch Availability Matri Platforms iAS Version Portal Version Patch Number All 1.0.2.2 3.0.9.8.5 3068980 All 9.0.2.1 9.0.2.3 2853895 All 9.0.2.2 9.0.2.3A 2853895 All 9.0.2.3 9.0.2.3B 2853895 Note: • The ‘A’ and ‘B’ suffixes only serve to distinguish the labels used to release the Portal code with the bundled Oracle 9iAS patchset. This is the version that must be patched with the referenced patch number. • Patch 2853895 listed under Oracle 9iAS version 9.0.2.0 on Metalink is an obsolete duplicate. Please obtain the patch that is listed against 9iAS version 9.0.2.1. • In order to apply the patch, you must first upgrade to Oracle9i Application Server Portal, Release 2, v9.0.2.3.0, if on Release 2, or to Oracle9i Application Server Portal, Release 1, v3.0.9.8.5, if on Release 1. • For more information on Portal, please see http://portalcenter.oracle.com/upgrades Credits Oracle Corporation thanks David Litchfield, of Next Generation Security Software Ltd., for discovering and promptly bringing this potential security vulnerability to Oracle’s attention. The Next Generation Security Software Advisory is available at http://www.nextgenss.com/advisories.html. Modification History 03NOV03: Initial release, version 1 [***** End Oracle Security Alert #61 *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/