When I first heard from an anonymous source about a flaw in the Oracle database, I was skeptical. I'm well versed in the endless cycle of bugs and patches that surrounds the software industry. But this was different. Unless that source was blowing smoke, this was a vulnerability at the heart of the industry's most widely used and trusted enterprise database product.
I immediately contacted InfoWorld contributing editor Paul Venezia and assigned him the story, which we've published today as "A fundamental Oracle flaw." I chose Paul because he has a deep, hands-on understanding of IT and proven instincts as both a technologist and a reporter. (Among other accomplishments, Paul was the only journalist to deduce the real story behind the infamous Terry Childs affair.)
[ Read "Revealed: A fundamental Oracle flaw" and learn the details of the Oracle vulnerability. | See Paul Venezia's insightful coverage of the Terry Childs affair. ]
Paul agreed that the Oracle story made logical sense, but seemed unbelievable. Apparently, the Oracle System Change Number (SCN), a sort of time stamp applied to every database transaction, could be raised artificially -- either through a bug that had recently surfaced or through a malicious attack that required very low database privileges. When the SCN number grew large enough and a threshold was crossed, the database could become unstable or crash -- and could not be revived easily.
Moreover, in environments where databases connect frequently, that high SCN value could conceivably spread among connected databases like a virus.
In testing, we confirmed that, indeed, the value could be raised artificially and spread from one database to another. And we consulted with many different Oracle experts about the problem. As with most newly discovered vulnerabilities, none of those experts had knowingly encountered the issue in the wild, but the story quotes two tech pros who clearly understood the implications.
We then contacted Oracle itself. Oracle representatives professed to be unaware of the method we had used to raise the SCN and asked us to hold publication of our story until the company could release a patch, which would purportedly also prevent nonmalicious methods of raising the SCN value to dangerous levels.
That patch is available today as a part of the Oracle Critical Patch Update for January 2012. It can be applied to the following Oracle Database versions:
