Professional Documents
Culture Documents
Oracle CPUApril 2016
Oracle CPUApril 2016
Oracle CPUApril 2016
David Litchfield
(
dlitchfield@google.com
)
22nd April 2016
Oracle released a Critical Patch Update or CPU on Tuesday 19th April, 2016 fixing over 136
[1]
issues. This document details the issues reported by David Litchfield
Whilst the CPU is undergoing testing before being deployed, it is strongly urged that customers
either remove this JSP or use a location, mod_rewrite directive to deny access.
Limited PL/SQL Injection in eBusiness Suite 12.2, 12.1 and 11.5 (CVE20160697)
The FND_WEB_SEC PL/SQL package contains two functions INT_CPASS_SYS and
INT_CPASS_ORA that both internally call the CONN_INSIDE_SYS procedure which executes
the following SQL:
This can be used to change the password for any user and, by injecting via the P_PASS
parameter, modify other aspects of the user, for example, unlocking them. The SQL is executed
via DBMS_SYS_SQL and to accommodate this the APPS user has been given the EXECUTE
privilege on this package. Anyone with EXECUTE privileges on DBMS_SYS_SQL can execute
SQL as the SYS user by specifying 0 for the USER_ID parameter of the PARSE_AS_USER.
This is a secondary issue to the limited PLSQL injection and was tracked as S0637799 but it
appears, whilst Oracle has fixed this, they have not included it in their public risk matrix.
When combined with the preauth SQL injection (CVE20163466) this presents a serious threat
to the security of an eBusiness Suite system. Applying the CPU will resolve these issues.
Failures in Audit system in the Oracle RDBMS 12.1, 11.2 and earlier
AUDIT NOT EXISTS fails to capture attempts to execute a procedure that does not exist either
because the user does not have the execute privilege on it or because the procedure does not
actually exist (CVE20160690). If a DBA wants to capture attempts to execute procedures
where the user does not have the execute privilege we must also add:
However, both AUDIT NOT EXISTS and AUDIT EXECUTE PROCEDURE WHENEVER NOT
SUCCESSFUL fail to capture attempts when a procedure actually doesn't exist. For example
EXEC AFGSFGAFSAGSF;
Further, if a "missing" (due to no execute privilege) function is within a SELECT query the name
of the function is not logged but the name of the table in the query (CVE20160691).
Revoke succeeded.
[1]
http://www.oracle.com/technetwork/securityadvisory/cpuapr2016v32985753.html
[2]
https://www.first.org/cvss/calculator/3.0