When I first heard from an anonymous source about a flaw in the Oracle database, I was skeptical. I'm well versed in the endless cycle of bugs and patches that surrounds the software industry. But this was different. Unless that source was blowing smoke, this was a vulnerability at the heart of the industry's most widely used and trusted enterprise database product.
I immediately contacted InfoWorld contributing editor Paul Venezia and assigned him the story, which we've published today as "A fundamental Oracle flaw." I chose Paul because he has a deep, hands-on understanding of IT and proven instincts as both a technologist and a reporter. (Among other accomplishments, Paul was the only journalist to deduce the real story behind the infamous Terry Childs affair.)
Paul agreed that the Oracle story made logical sense, but seemed unbelievable. Apparently, the Oracle System Change Number (SCN), a sort of time stamp applied to every database transaction, could be raised artificially -- either through a bug that had recently surfaced or through a malicious attack that required very low database privileges. When the SCN number grew large enough and a threshold was crossed, the database could become unstable or crash -- and could not be revived easily.
Moreover, in environments where databases connect frequently, that high SCN value could conceivably spread among connected databases like a virus.
In testing, we confirmed that, indeed, the value could be raised artificially and spread from one database to another. And we consulted with many different Oracle experts about the problem. As with most newly discovered vulnerabilities, none of those experts had knowingly encountered the issue in the wild, but the story quotes two tech pros who clearly understood the implications.
We then contacted Oracle itself. Oracle representatives professed to be unaware of the method we had used to raise the SCN and asked us to hold publication of our story until the company could release a patch, which would purportedly also prevent nonmalicious methods of raising the SCN value to dangerous levels.
That patch is available today as a part of the Oracle Critical Patch Update for January 2012. It can be applied to the following Oracle Database versions:
- 11g Release 2, versions 220.127.116.11, 18.104.22.168
- 11g Release 1, version 22.214.171.124
- 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
- 10g Release 1, version 10.1.0.5
Oracle provided us with a download of the patch in advance of its release today. Although we've run preliminary tests and confirmed that the patch prevents some forms of manipulation of the SCN, we do not know how Oracle's remedy will fare in complex, interconnected database environments.
So I'd like to invite all Oracle customers who install the patch to contact InfoWorld and let us know about your experiences.
In the interests of protecting Oracle customers from malicious attack, we refrained from releasing any information about the vulnerability until today. Now that our story has broken, we want to hear from Oracle users about the effectiveness of the fix -- including advice on how to apply it, particularly in complex environments.
This article, "Calling all Oracle customers," originally appeared at InfoWorld.com. Read more of Eric Knorr's Modernizing IT blog, and for the latest business technology news, follow InfoWorld on Twitter.