Re: Regarding Oracle SCN Issue/Infoworld article

  • From: Marcin Przepiorowski <pioro1@xxxxxxxxx>
  • To: ChrisDavid.Taylor@xxxxxxxxxxxxxxx
  • Date: Fri, 20 Jan 2012 15:38:37 +0000

On Fri, Jan 20, 2012 at 1:21 PM, Taylor, Chris David
<ChrisDavid.Taylor@xxxxxxxxxxxxxxx> wrote:
> Marcin – are you saying that you confirmed a local created copy of an oracle
> database could generate the SCN problem on a remote database?

> A coworker asked me about this same scenario:
> - Malicious user creates a local Oracle database (say, XE) and connects it
> to a remote corporate database via database link
> - User then artificially raises the SCN in his local database and connects
> to the remote, corporate database

That was my case - XE database with SCN number pushed very
high and database link to other database. User used for db link had a create session plus
schema privileges.
> - User creates a transaction to the remote database

You don't need to start a transaction I just did

select * from dual@dblink

and SCN on remote DB has been updated using SCN from my XE DB.

> In *theory* the remote Oracle database should REJECT this transaction
> because the SCN number is now too high and return an error back to the
> remote database.

It didn't happen - SCN had been updated.

Marcin Przepiorowski

Other related posts: