Re: Interesting MetaLink notice
- From: Connor McDonald <mcdonald.connor@xxxxxxxxx>
- To: Oracle-L Freelists <oracle-l@xxxxxxxxxxxxx>
- Date: Sun, 5 Feb 2006 11:22:38 +0800
Its there now.... I suppose by pasting it below I've broken all sorts of
customer support contract rules, but oh well... The content is:
FAQ For Oracle PL/SQL Gateway Security Issue Released by David Litchfield
February 2, 2006
David Litchfield, an independent security researcher, discussed a workaround
for a vulnerability in Oracle Application Server at Black Hat Federal on
January 25. The vulnerability lies in the Oracle PLSQL Gateway, a component
of several Oracle products. According to Mr. Litchfield's analysis, the bug
can be exploited by an attacker to grab complete control of an Oracle
database server via the compromised Web Server.
1. Is there a patch available for this
issue?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#1>
2. Are there exploits available for this
issue?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#2>
3. I have read that Mr. Litchfield's presentation at Black Hat was a
"zero-day." Is this
true?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#3>
4. Is there a workaround for the
issue?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#4>
5. What about the workaround Mr. Litchfield described in his Black Hat
Federal
presentation?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#5>
6. Mr. Litchfield has said that "this bug is so easy to fix and easy to
workaround." Why didn't Oracle fix this
sooner?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#6>
7. When does Oracle plan to fix this
issue?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#7>
8. What does "subject to testing and integration"
mean?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#8>
9. Will Oracle provide details of the patch or vulnerability in advance of
the
CPU?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#9>
10. Does Oracle ever do one-off security patches in advance of a CPU?
<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#10>11.
Will Oracle issue a Security Alert for this vulnerability prior to the April
CPU?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#11>
12. What is Oracle doing to address this issue prior to a patch being
available?<https://metalink.oracle.com/metalink/plsql/f?p=125:4:5454752290609545917::::p4_id:1696291.993#12>
*1. Is there a patch available for this issue?*
Answer. No. Mr. Litchfield released the workaround in advance of a patch
being available for the vulnerability.
*2. Are there exploits available for this issue?*
Answer. At this time, Oracle knows of no *public* exploits for this issue.
Oracle does not develop or distribute active exploit code (or "proof of
concept code") for vulnerabilities in our products. Mr. Litchfield is a
professional security researcher and he understands the risk of releasing an
exploit.
*3. I have read that Mr. Litchfield's presentation at Black Hat was a
"zero-day." Is this true?*
Answer. No. Generally, a "zero-day" refers to a working exploit of an *
unpatched* vulnerability that was not previously reported to the vendor. Mr.
Litchfield presented a *workaround *for a vulnerability that he had
previously reported to Oracle.
*4. Is there a workaround for the issue?*
Answer. Oracle knows of no workaround that protects all customers against
possible exploitation of the issue and that has been tested across the
entire dependent product stack. We continue to explore potential workarounds
for this issue and will notify customers if one becomes available.
*5. What about the workaround Mr. Litchfield described in his Black Hat
Federal presentation?*
Answer. Oracle was not given an opportunity to validate the workaround prior
to Mr. Litchfield releasing it, though he did notify us after-the-fact. We
regret that Mr. Litchfield made the workaround information public in advance
of either Oracle being able to validate the workaround or Oracle being able
to provide a patch. Based on subsequent analysis, we now believe that the
workaround proposed by Mr. Litchfield will break Oracle eBusiness Suite
applications and may break other products.
*6. Mr. Litchfield has said that "this bug is so easy to fix and easy to
workaround." Why didn't Oracle fix this sooner?*
Answer. Oracle began working on a fix as soon as Mr. Litchfield reported it
in late October 2005. It was not trivial to address completely; indeed,
fully addressing the vulnerability required several product modifications.
Despite our best efforts, we were unable to meet the cutoff dates for
inclusion of the fix in the January Critical Patch Update (CPU). We announce
CPU dates a year in advance and we have strict timetables for patch
delivery, including testing fixes across multiple platforms and multiple
versions of dependent products.
*7. When does Oracle plan to fix this issue?*
Answer. Oracle has been working on the issue since Mr. Litchfield reported
it in late October 2005. We have successfully identified the base issue and
backports are tentatively scheduled for release to customers in the April
CPU, subject to integration and testing.
*8. What does "subject to testing and integration" mean?*
Answer. Oracle is making every effort to get the fix for this issue in our
April CPU, for the benefit of all customers. However, we do thorough testing
of fixes across multiple versions, operating systems, in conjunction with
dependent Oracle products. It is possible that we will find a problem late
in the CPU cycle (e.g., we might find that this fix breaks a dependent
product). In that event, we would elect to pull the fix from the CPU rather
than break dependent Oracle products.
*9. Will Oracle provide details of the patch or vulnerability in advance of
the CPU?*
Answer. No. Oracle releases information about the nature of the
vulnerability in the CPU documentation, at the same time as the fixes are
made available to all customers, in accordance with our formal policies on
vulnerability handling. Particularly as there is no workaround which both
fully protects customers, and works for all Oracle products (i.e., without
breaking some of them), Oracle believes that providing more details about
the vulnerability in advance of a fix would be irresponsible.
*10. Does Oracle ever do one-off security patches in advance of a CPU?*
Answer. Our formal security vulnerability handling processes do provide for
us to do one-off (i.e., single issue) security patches in extraordinary
circumstances and proactively notify our customers of patch availability,
via a Security Alert.
*11. Will Oracle issue a Security Alert for this vulnerability prior to the
April CPU?*
Answer. At this time, we have no plans to do so, for several reasons. The
nature of the affected component is such that, in order to fully protect
customers from *all* known issues, we would also have to include *previous *CPU
fixes to the affected component. In other words, we cannot easily release a
fix for just this issue, as patch application could "undo" other changes to
the affected component delivered via previous CPUs. The work to include, and
test, all previous CPU fixes for the affected component (as part of patch
delivery) is equivalent to producing a CPU, and would follow the same
process. Therefore, at this time, we believe customers are best served by
Oracle releasing a fix for this issue as part of the April CPU.
*12. What is Oracle doing to address this issue prior to a patch being
available?*
Answer. Oracle is looking for a set of workarounds that provide partial or
total workarounds on all products. If all customers can be protected via a
set of workarounds (or partial workarounds), we will provide them to
customers, via a Metalink note, as we test and validate them.
Other related posts:
