Un-patched Oracle Database Bugs - E-Business Suite Impact
There are currently three major un-patched and published Oracle Database security bugs and all three bugs impact the Oracle E-Business Suite. All Oracle Applications 11i implementations should review the possible impact on their installations to determine the necessary corrective action. I don't foresee any of these bugs being fixed before the October 2005 Critical Patch Update.
Here is a quick rundown of the bugs --
- The previous fixes for a number of SQL injection bugs in standard Oracle Database packages are flawed and can still be compromised. This is a particularly critical issue in Oracle Applications due to the APPLSYSPUB account and due to the design of the application.
- The View access bypass bug, first inadvertently published by Oracle in April 2006, was not patched in the July 2006 CPU. This bug can be easily exploited in Oracle Applications. Any database account with CREATE VIEW system privilege can insert, update, or delete any data where the account has only select permissions. This bug pretty much blows any data integrity of the application out of the water if you have database accounts with CREATE VIEW privilege.
- An integer overflow exists in the Alter Session statement and can be exploited by the APPLSYSPUB account. Although, advanced knowledge is probably required to exploit this issue, unless someone publishes a detailed exploit.
Integrigy has released an in-depth analysis with possible mitigation steps.