Fundamental Oracle Flaw Revealed
The Oracle reaction
When we first contacted Oracle about the SCN issue, Mark Townsend, vice president of database product management, offered this reaction to our discovery of a low-privilege method to arbitrarily increase the SCN: "The way that you're putting these [issues] together is nothing that we've seen ... we need to understand what it is that you're doing to raise the SCN by trillions. Obviously I need to have some time to have the dev people look at that. "
After much discussion and exchange of technical data, Oracle acknowledged that there were ways to increase the SCN at will. Referring to one method, Townsend said, "This is an undocumented, hidden parameter, so it was never intended for customers to discover and use this."
However, we pointed out that there were several other methods that could be used; we sent those to Oracle as well.
Oracle's remedy for these security vulnerabilities is in the series of patches present in the just-released January Oracle Critical Patch Update. These patches remove the various methods of arbitrarily increasing the SCN and implement a new method of protection, or "inoculation," as Townsend put it, for Oracle databases.
We haven't had time to exhaustively test these patches, nor do we know exactly what the "inoculation" patch does. In fact, without extensive testing, we cannot provide further details other than it claims to prevent connections from databases with sufficiently high SCN values. We do not know, for example, whether this could potentially cause problems for affected systems that need to connect with other systems.
These patches are being released for only the more recent versions of the database: Oracle 11g 188.8.131.52, 184.108.40.206, and 220.127.116.11, as well as Oracle 10g 10.1.0.5, 10.2.0.3, 10.2.0.4, and 10.2.0.5. Older versions will continue to be affected. Given the sheer number of Oracle installations older than 18.104.22.168.0 and 10.1.0.5, a large installed base will remain vulnerable.
The next steps
The next step for Oracle admins is to inspect the SCN values of their databases. Following that, the application of the hot-backup patch is crucial, as are the follow-up patches that address the ability to arbitrarily increase the SCN value through administrative commands. However, since patches exist only for newer versions of the database, there may be no other option for older databases than to upgrade.
It's also critical that Oracle admins take great pains to prevent any unpatched Oracle database servers from connecting to any other Oracle databases within the infrastructure. This will present quite a challenge in large deployments that utilize many different Oracle versions, but it will be necessary to prevent spurious SCN growth. It appears that keeping SCN values in check will be an ongoing exercise for some Oracle shops, requiring monitoring and careful inspection of new installations down the road.
We hope that Oracle's patches and the increased visibility of this issue will provide Oracle shops with fair warning of problems they may face and arm them with at least some protection against a potentially large problem.
This article, "Fundamental Oracle flaw revealed," was originally published at InfoWorld.com. Follow the latest developments in business technology news and get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest business technology news, follow InfoWorld on Twitter.
Read more about security in InfoWorld's Security Channel.