Oracle Application Server PLSQL
Injection Flaw

Friday, July 25, 2008

Priority: HIGH

Impact: Potential for database corruption or information leakage. PCI DSS non-compliance.

Resolution: Verify the blocking policy in the web application firewall and apply the appropriate patch from Oracle.

Who: All websites using Oracle Application Server (OAS) versions:

• 9.0.4.3
• 10.1.2.2
• 10.1.4.1

What: The July 2008 Critical Patch Update (CPU) addresses numerous vulnerabilities in several Oracle products, including OAS. The OAS application server PLSQL injection flaw allows an unauthenticated attacker to gain full control of a back-end Oracle database server via the front-end web server.

How: The WWV_RENDER_REPORT PLSQL package installed with OAS is vulnerable to SQL injection. Specifically, the SHOW procedure takes the name of a function to execute as its second argument. This function name can be embedded with a dynamically-executed anonymous block of PLSQL without first being sanitized.

Example:

Impact: The WWV_RENDER_REPORT package uses definer rights execution and executes with the privileges of the PORTAL user. Because a block of anonymous PLSQL is used in the attack, a hacker can exploit the flaw to run any SQL statement. For example, the hacker can create new users, grant database administrator privileges, or delete or modify data. These tasks are achieved by wrapping the statement(s) within an “execute immediate” statement and specifying the autonomous_transaction pragma.

Additionally, organizations impacted by this vulnerability may be out of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS Requirement 6.5.6 states that organizations should:

“…Cover prevention of common coding vulnerabilities in software development processes, to include the following…injection flaws (for example, structured query language (SQL) injection).”

Risk: Even though Oracle released security updates for this issue, there is always a time lag associated with proper testing before the full migration of the patches to production systems. This “time-to-fix” window related to standard patching is often measured in weeks to months, leaving organizations vulnerable to external attacks. For these reasons, we have categorized this as a HIGH severity issue.

To obtain the appropriate security updates from Oracle, visit:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html.

Resolution: Breach Security recommends that organizations continue normal vendor patching processes; however, it should not be the only mitigation effort. Breach Security web application firewalls already offer continuous protection by detecting and blocking this attack before it can reach the web application.

How WebDefend Customers Are Protected: WebDefend customers are proactively protected by the positive security profile automatically created by the Adaption™ learning system. The Adaption system creates a profile of normal, acceptable input for the P_ROW_FUNCTION parameter of the wwv_render_report page, learning the acceptable functions legitimately used. If additional PLSQL data were added, it would be identified and blocked. This positive security model allowing only known, expected data provides the best protection against injection attacks.

How ModSecurity Pro M1100 Customers Are Protected: M1100 customers have basic protection against this attack through the Universal Application Attack Detection rules. These rules identify the vast majority of attacks, as they search all attack vector points for known malicious payloads. M1100 customers running vulnerable versions of OAS and desiring to implement a more targeted remediation for this specific vulnerability may contact the Breach Security Services Team to receive a custom virtual patch as part of their current support contract.

All Breach Security customers should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically, that the appliances are configured in a blocking mode for these attacks.

Contact: For more information on this alert, please email support@breach.com.