Advisory for Oracle CPU January 2008 - Ultra Search excessive privileges See http://www.petefinnigan.com/Advisory_CPU_Jan_2008.htm for details. Description Oracle Ultra-Search uses database and Oracle text functionallity to provide a uniform search function that is fully integrated with the SQL language and where it allows full text search capabilities within the database. For more details see Introduction to Oracle Ultra Search 101/b10731/over.htm>. The issue located by PeteFinnigan.com Limited relates to excessive privileges assigned to the WKSYS database schema/user account. Risk If the WKSYS schema exists then the risk is still present without application of the patch. The CVSS score is 3.0 which is low but the risk increases if the schema is accessible due to a weak password or an additional attack vector that allows code to run as WKSYS. Access to the schema, either directly or indirectly are required to expliot this issue. Workaround If the Oracle Ultra-Search functionallity is not required either directly or indirectly then ensure that this component is not installed. This can be verified by checking if the WKSYS schema is present in the database. Versions affected The following Oracle database versions are affected * Database o 9.2.0.8 and lower o 10.1.0.5 and lower o 10.2.0.3 and lower * Application Server o 9.0.4.3 and lower o 10.1.2.2 and lower * Collaboration Suite o 10.1.2 and lower Patch Information PeteFinnigan.com Limited advises customers to apply the January 2008 CPU patch as soon as is practical. See Oracle's advisory /cpujan2008.html> for details of the patch availability matrix. Credit Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability. cheers Pete -- Pete Finnigan Principal Consultant PeteFinnigan.com Limited Specialists in database security Phone: 0044 (0)1904 791188 Fax : 0044 (0)1904 791188 Mob : 0044 (0)7742 114223 email: pete (at) petefinnigan (dot) com [email concealed] site : http://www.petefinnigan.com [ reply ]
