__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle SQL Injection Vulnerability in Oracle9i Application Server [Oracle Security Alert #61] November 4, 2003 20:00 GMT Number O-017 ______________________________________________________________________________ PROBLEM: A knowledgeable, malicious and unauthenticated user can potentially inject a SQL script through a URL in order to gain unauthorized access to user data in Oracle9i Application Server. PLATFORM: Oracle9i Application Server Portal Release 1, v3.0.9.8.5 (and earlier) Oracle9i Application Server Portal Release 2, v9.0.2.3.0 (and earlier) DAMAGE: An unauthenticated user can gain unauthorized access to user data. SOLUTION: Update to the patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Unauthenticated users can gain unauthorized ASSESSMENT: access to user data. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-017.shtml ORIGINAL BULLETIN: http://otn.oracle.com/deploy/security/pdf/2003alert61.pdf CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0659 ______________________________________________________________________________ [***** Start Oracle Security Alert #61 *****] Oracle Security Alert #61 Dated: 3 November 2003 Severity: 1 SQL Injection Vulnerability in Oracle9i Application Server Description A potential security vulnerability has been discovered in the Portal component of Oracle9i Application Server, Release 9.0.2. A knowledgeable, malicious and unauthenticated user can potentially inject a SQL script through a URL in order to gain unauthorized access to user data in Oracle9i Application Server. Products Affected • Oracle9i Application Server Portal Release 1, v 3.0.9.8.5 (and earlier) • Oracle9i Application Server Portal Release 2, v 9.0.2.3.0 (and earlier) Portal version 9.0.2.6 and onwards are not vulnerable. Components affected (where applicable to the product version): • List of Values (LOVs) • Portal DB Provider Forms • Portal DB Provider Hierarchy • Portal DB Provider XML component Platforms Affected See Patch Availability Matrix. Required conditions for exploit An unauthenticated user with HTTP access. Note that Portal is installed by default with Oracle9i Application Server. Risk to exposure Risk to exposure is high. A SQL injection attack via the Internet is, in Oracle’s opinion, likely if the required conditions listed above are met. This vulnerability is also susceptible to an insider attack originated on the corporate Intranet. An unauthenticated user can submit unauthorized SQL queries on the Oracle9i Application Server Data Dictionary tables and/or also submit costly (time consuming) queries that may affect the performance of Oracle9i Application Server. How to minimize risk It is not feasible to disable public access from the vulnerable components to mitigate the risk. Oracle strongly recommends that the patches identified in this alert be applied. Follow Oracle’s best practices for database and application server: http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf http://otn.oracle.com/deploy/security/oracle9iAS/ and investigate typical IT deployments of firewalls, etc. Ramification for customer Oracle strongly recommends applying the patch for this potential vulnerability. Oracle recommends that customers review the severity rating for this Alert and patch accordingly. See http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings. Patch Information The patch is platform independent and may be applied across all platforms on which Portal is supported. Fixed by An interim (one-off) patch for this issue is available for the following Oracle 9iAS Portal versions: • Oracle9i Application Server Portal Release 1, v 3.0.9.8.5 • Oracle9i Application Server Portal Release 2, v 9.0.2.3.0 Download the appropriate one-off patch from the Oracle Support Services web site, Metalink (http://metalink.oracle.com). 1. Click on the Patches button. 2. Click on "Simple Search". 3. In the "Search By" option, select 'Patch Number(s)' from the dropdown menu, and enter the patch number from the Patch Availability Matrix in the box. 4. Select the platform. 5. Click on the “Go” button. 6. Click on the “Download” button. 7. Recommended: you should also click on the “View README” button for additional information and instructions. Please review Metalink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. Patch Availability Matrix Platforms iAS Version Portal Version Patch Number All 1.0.2.2 3.0.9.8.5 3068980 All 9.0.2.1 9.0.2.3 2853895 All 9.0.2.2 9.0.2.3A 2853895 All 9.0.2.3 9.0.2.3B 2853895 Note: • The ‘A’ and ‘B’ suffixes only serve to distinguish the labels used to release the Portal code with the bundled Oracle 9iAS patchset. This is the version that must be patched with the referenced patch number. • Patch 2853895 listed under Oracle 9iAS version 9.0.2.0 on Metalink is an obsolete duplicate. Please obtain the patch that is listed against 9iAS version 9.0.2.1. • In order to apply the patch, you must first upgrade to Oracle9i Application Server Portal, Release 2, v9.0.2.3.0, if on Release 2, or to Oracle9i Application Server Portal, Release 1, v3.0.9.8.5, if on Release 1. • For more information on Portal, please see http://portalcenter.oracle.com/upgrades Credits Oracle Corporation thanks David Litchfield, of Next Generation Security Software Ltd., for discovering and promptly bringing this potential security vulnerability to Oracle’s attention. The Next Generation Security Software Advisory is available at http://www.nextgenss.com/advisories.html. Modification History 03NOV03: Initial release, version 1 [***** End Oracle Security Alert #61 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities O-010: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability O-011: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Admin Script O-012: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Server Daemon O-013: Buffer Overflow in Oracle Binary O-014: SGI Wildcard Exportfs Issue in Network File SYstem (NFS) O-015: Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities O-016: Apache HTTP Server 1.3.29 Release Fixes Security Vulnerability