Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: security bug - join syntax

RE: security bug - join syntax

From: Eric D. Pierce <eric_d_pierce_at_pacbell.net>
Date: Mon, 22 Jul 2002 02:38:20 -0800
Message-ID: <F001.0049D8B6.20020722023820@fatcity.com> 





re: Bug 2121935



---metalink excerpts---



Doc ID: 190077.1



List of Bugs fixed in Oracle9i Release 2 base release 
(9.2.0.1)



This is a listing of the main bugs fixed in the Oracle9i 
Release 2 base release. The bugs are listed in categories 
related to the product area and/or symptom of the bug. A bug 
may be listed in more than one section. 






Bug Fixes by Category 


...





Security  


...



2121935* User Privileges Vulnerability in Oracle9i Database 
Server 



...





 <Bug:2121935> *     Fixed: 9201 


 Security 


 This problem is introduced in Oracle9i (9.0.1).
 There is a user privileges vulnerability in Oracle9i Database 
Server..


 See <Note:185074.1>


...





 


 Doc ID:  Note:185074.1 


 Subject:  ALERT: User Privileges Vulnerability in Oracle9i 
Database Server 


 Type:  ALERT 


 Status:  PUBLISHED 


  Content Type:  TEXT/PLAIN 


 Creation Date:  18-APR-2002 


 Last Revision Date:  25-APR-2002 
 
 


 Oracle Security Alert #33


 Dated: 17 April 2002
 


 User Privileges Vulnerability in Oracle9i Database Server
 


 Description


 


A potential security vulnerability has been discovered in 
Oracle9i database server. It is possible to create a user
defined in the Oracle9i database server with limited
privileges who can potentially access privileged data using 
SQL  syntax for outer joins. As such, a knowledgeable and 
malicious user can gain unauthorized access to data in 
Oracle9i database server.
 


None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) 
or Oracle7 database server release is affected by this 
vulnerability.
 


Products affected


 


 Oracle9i Database, Release 9.0.1.x, only
 
 


 Platforms affected


 


 All
 
 


 Workarounds


 


 There are no workarounds to protect against this potential 
vulnerability.
 
 


 Patch Information


 


Oracle has fixed the potential vulnerability identified above 
in the upcoming Oracle Database server release, Oracle9i, 
Release 2. Patches with the base bug number, 2121935 are being 
made available only for supported releases of Oracle9i, 
Releases 9.0.1.x, database server on all supported platforms.  
For Windows NT and 2000, the patch is included in 2338791 for 
9.0.1.3.
 
 


Download currently available patches for your platform from 
Oracle Support web site, iSupport, http://metalink.oracle.com. 
Activate the "Patches" button to get to the patches Web page. 
Enter the base bug fix number indicated above and activate the 
"Submit" button.
 


Please check MetaLink or, Oracle Support Services periodically 
for patch availability if the patch for your platform is not 
yet available.
 


Oracle strongly recommends that you comprehensively test the 
stability of your system upon application of any patch prior 
to deleting any of the original file(s) that are replaced by 
the patch.
 


Change Record




Windows NT and 2000 bug information was addded to the Patch 
Information section of this alert on 25-Apr-02.
 .
 
 
 




 


  Copyright (c) 1995,2000 Oracle Corporation. All Rights 
Reserved. Legal Notices and Terms of Use. 







On 19 Jul 2002 at 10:58, Deshpande, Kirti wrote:



Date sent:      	Fri, 19 Jul 2002 10:58:26 -0800
<kirti.deshpande_at_verizon.com>


To:             	Multiple recipients of list ORACLE-L <ORACLE-
L_at_fatcity.com>

Send reply to:  	ORACLE-L_at_fatcity.com
Organization:   	Fat City Network Services, San Diego, 


California


> Is this still a problem in 9iR2? I do not have it installed yet :( 
> 
> - Kirti 
> 
> > -----Original Message-----
> > From:	Jared.Still_at_radisys.com [SMTP:Jared.Still_at_radisys.com]
> > Sent:	Friday, July 19, 2002 12:05 PM
> > To:	Multiple recipients of list ORACLE-L
> > Subject:	Re: security bug - join syntax
> > 
> > Thanks Linda.
> > 
> > Usenet seems to be a little behind the curve though.
> > 
> > Jonathan Lewis discovered this and posted on the list
> > ( you saw it here first! ) over a month ago.
> > 
> > Jared
> > 
> > 
> > 
> > 
> > 
> > Linda.Miller-Coker_at_jpmorgan.com
> > Sent by: root_at_fatcity.com
> > 07/19/2002 09:23 AM
> > Please respond to ORACLE-L
> > 
> >  
> >         To:     Multiple recipients of list ORACLE-L
> > <ORACLE-L_at_fatcity.com>
> >         cc: 
> >         Subject:        Re: security bug - join syntax
> > 
> > 
> > 
> > This just in from comp.databases.oracle.server.
> > 
> > See metalink bug 2121935.





-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Eric D. Pierce
  INET: eric_d_pierce_at_pacbell.net

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Mon Jul 22 2002 - 05:38:20 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US