Back to list
PeteFinnigan.com Limited advisory for Oracle January 2008 CPU
Jan 30 2008 05:51PM
Pete Finnigan (pete petefinnigan com)
Advisory for Oracle CPU January 2008 - Ultra Search excessive
See http://www.petefinnigan.com/Advisory_CPU_Jan_2008.htm for details.
Oracle Ultra-Search uses database and Oracle text functionallity to
provide a uniform search function that is fully integrated with the SQL
language and where it allows full text search capabilities within the
database. For more details see Introduction to Oracle Ultra Search
The issue located by PeteFinnigan.com Limited relates to excessive
privileges assigned to the WKSYS database schema/user account.
If the WKSYS schema exists then the risk is still present without
application of the patch. The CVSS score is 3.0 which is low but the
risk increases if the schema is accessible due to a weak password or an
additional attack vector that allows code to run as WKSYS. Access to the
schema, either directly or indirectly are required to expliot this issue.
If the Oracle Ultra-Search functionallity is not required either
directly or indirectly then ensure that this component is not installed.
This can be verified by checking if the WKSYS schema is present in the
The following Oracle database versions are affected
o 126.96.36.199 and lower
o 10.1.0.5 and lower
o 10.2.0.3 and lower
* Application Server
o 188.8.131.52 and lower
o 10.1.2.2 and lower
* Collaboration Suite
o 10.1.2 and lower
PeteFinnigan.com Limited advises customers to apply the January 2008 CPU
patch as soon as is practical. See Oracle's advisory
for details of the patch availability matrix.
Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability.
Specialists in database security
Phone: 0044 (0)1904 791188
Fax : 0044 (0)1904 791188
Mob : 0044 (0)7742 114223
email: pete (at) petefinnigan (dot) com [email concealed]
site : http://www.petefinnigan.com
[ reply ]
Copyright 2010, SecurityFocus