[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Oracle 10g DBMS_SCHEDULER SESSION_USER issue
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Oracle 10g DBMS_SCHEDULER SESSION_USER issue
- From: "Kornbrust, Alexander" <ak@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 May 2005 13:06:22 +0200
Red-Database-Security GmbH Oracle Security Advisory
Name Oracle 10g DBMS_SCHEDULER SESSION_USER issue
Systems Affected Oracle Database 10g
Severity Medium Risk
Category Switch SESSION_USER to SYS
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 03 May 2005 (V 1.00)
VU# 176909
Description
###########
Every user with CREATE JOB privilege can switch the SESSION_USER to SYS
by
executing a database job via dbms_scheduler. This could cause problems
with
VPD (virtual private database) or OLS (Oracle label security) and could
allow
privilege escalation.
This issue is not related to the Oracle Critical Patch Update 2005.
More details including test case available:
##########################################
http://www.red-database-security.com/exploits/oracle_exploit_dbms_schedu
ler_select_user.html
Patch Information
#################
This information has been public for months but Oracle never released a
security alert for this issue. Applying patchset 10.1.0.4 is fixing this
issue.
History:
########
07 October 2004 Published at the Oracle Enterprise Server Forum in
Metalink
About Red-Database-Security GmbH
#################################
Red-Database-Security GmbH is a specialist in Oracle Security.
http://www.red-database-security.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/