Oracle Database Server contains a SQL injection vulnerability that could allow an authenticated, remote attacker to tamper with the database.
The vulnerability is due to an error in the Oracle Text component of Oracle Database. An authenticated, remote attacker could exploit this vulnerability by passing crafted input to the database. An exploit could allow the attacker to tamper with the database in a way that could result in a complete compromise of the database server.
Functional exploit code is publicly available that can grant DBA privileges to an arbitrary user.
Oracle has confirmed this vulnerability and released updated software.
Indicators of Compromise
Oracle Database Server versions 10.1.0.5 and prior, 10.2.0.4 and prior, 220.127.116.11, and 18.104.22.168DV are vulnerable.
The vulnerability is due to an error in the ctxsys.drvxtabc.create_tables procedure of the database. An authenticated, remote attacker could exploit this vulnerability by passing crafted input to the idx_owner and idx_name parameters of the ctxsys.drvxtabc.create_tables procedure. A successful exploit could allow the attacker to execute arbitrary SQL commands on the database with elevated privileges. This could allow the attacker to add, modify, or delete data in the database, which could result in a complete compromise of the database server.
To exploit this vulnerability, an attacker must be authenticated to the database. The attacker would also need to have Execute on CTXSYS.DRVXTABC privileges to exploit this vulnerability. A successful exploit could allow the attacker to add, modify, or delete data in the database, which could result in complete compromise of the database server.
The Oracle Critical Patch Update for October 2009 lists and confirms CVE-2009-1991 as corrected; however, Oracle has not provided technical details for the vulnerability.
Administrators are advised to apply the appropriate updates.
Administrators are advised to restrict native SQL access on production databases to trusted users.
Administrators are advised to monitor critical systems for signs of exploitation.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
FIXED SOFTWARE INFORMATION AND LINKS PROVIDED BY SUPPLIERS AND VENDORS ARE FOR REFERENCE ONLY. USERS SHOULD CONTACT THEIR SUPPLIER OR VENDOR FOR UPDATED SOFTWARE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.