January 2011 Critical Patch Update Released

Advertisements

Hi, this is Eric Maurice again. Oracle released the January 2011 Critical Patch Update (CPUJan2011) today. With this Critical Patch Update (CPU), Oracle's primary security vulnerability remediation program enters its seventh year (the first Critical Patch Update was released in January 2005). The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products. CPUs are issued on a predictable schedule published a year in advance. The CPU documentation, and more specifically, the risk matrices used to provide information about the nature and criticality of the vulnerabilities fixed in each CPU are consistent across all product lines and leverage industry standards such as CVSS (to provide an indication of the criticality of each vulnerability) and CVE (to provide a unique identifier for each vulnerability). Very importantly as well, Oracle's fixing and disclosure policies are transparent and are designed to provide equal protection to all Oracle customers. Today's Critical Patch Update (CPUJan2011) provides fixes for 66 security vulnerabilities across a wide range of products including: Oracle Database Server, Oracle Secure Backup, Oracle Audit Vault, Oracle Database Vault, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle Applications, Oracle Industry Applications, Oracle PeopleSoft Enterprise, Oracle Solaris, and Oracle Open Office. 6 of the 66 security vulnerabilities affect Oracle Database Server including Oracle Database Vault. The most severe of these 6 vulnerabilities affects Oracle Enterprise Manager Grid Control, and received a CVSS Base Score of 7.5. In addition, a fix for an Oracle Audit Vault vulnerability which has received a CVSS Base Score of 10.0 is also provided in today's CPU. As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible so that they can maintain their security in-depth posture regardless of the existence of external mitigation factors that may prevent the exploitation of these vulnerabilities (e.g. network access controls, etc.) 16 fixes were released for Oracle Fusion Middleware. The maximum CVSS score for Oracle Fusion Middleware is 10.0 for 2 separate vulnerabilities. The first, for JRockit, refers to a set of Java Runtime Environment security fixes that were previously released by Oracle. The second one affects the Node Manager component of Oracle WebLogic Server. 11 fixes were released for Oracle PeopleSoft Enterprise. The maximum CVSS Base Score for these vulnerabilities is 7.5. It is for a single vulnerability affecting PeopleSoft 8.50 and 8.51. This vulnerability was publicly disclosed accidentally earlier this month. Oracle highly recommends that PeopleSoft customers apply this Critical Patch Update as soon as possible as a result of this accidental disclosure. This Critical Patch Update also includes fixes for 21 new vulnerabilities affecting the Oracle Sun product family and 2 new vulnerabilities affecting Oracle Open Office. The most severe vulnerability affecting the Sun Product family affects Oracle Solaris with a CVSS Base Score of 10.0. The 2 vulnerabilities affecting Oracle Open Office received a CVSS Base Score of 9.3 and are related to exploit conditions that exist when malicious attachments are opened by unsuspecting users. Oracle reported a 9.3 CVSS Base Score for these Open Office vulnerabilities because many users, particularly Windows XP users, run with administrative privileges. However, the CVSS Base Score for these vulnerabilities falls to 6.8 when these malicious attachments are opened by users with limited privileges. Sun customers, who wish to consult the Security Sun Alert notifications published before April 2010 can do so by visiting the "Sun Alert Archive and Mappings for Legacy SunSolve Document ID Numbers" page located at http://www.oracle.com/technetwork/topics/security/sunalertslisting-197036.html With today's Critical Patch Update, Oracle introduces an enhancement to the Critical Patch Update documentation. As a result of customer feedback, Oracle will now publish a plain English version of the risk matrices. This document can be found at http://www.oracle.com/technetwork/topics/security/cpujan2011verbose-194110.html. This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation. Finally, Oracle recently published a technical white paper titled "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" in an attempt to document the practices of a number of organizations, which had adopted repeatable processes to deal with the Critical Patch Updates. This white paper is located at http://www.oracle.com/us/support/assurance/leveraging-cpu-wp-164638.pdf, and is a good starting point for administrators who may be new to the Critical Patch Update or feel overwhelmed with the prospect of patching their systems. For More Information: "Inclusion Of Security Fixes For Externally Reported Security Bugs In The Critical Patch Updates", a blog entry by Clement Chen, can be found at http://blogs.oracle.com/security/2010/11/inclusion_of_security_fixes_fo.html The Critical Patch Updates and Security Alerts page is located at : http://www.oracle.com/technetwork/topics/security/alerts-086861.html More information about Oracle Software Security Assurance, including Oracle security fixing policies, is available on: http://www.oracle.com/us/support/assurance/index.html Note 394487.1 (My Oracle Support subscription required) provides a detailed explanation on how the CVSS ratings are applied in the CPU documentation. Security Sun Alert notifications prior to April 2010 for Sun products are located at http://www.oracle.com/technetwork/topics/security/sunalertslisting-197036.html Comments (0) A New Threat To Web Applications: Connection String Parameter Pollution (CSPP) By eric.maurice on December 15, 2010 12:59 PM Hi, this is Shaomin Wang. I am a security analyst in Oracle's Security Alerts Group. My primary responsibility is to evaluate the security vulnerabilities reported externally by security researchers on Oracle Fusion Middleware and to ensure timely resolution through the Critical Patch Update. Today, I am going to talk about a serious type of attack: Connection String Parameter Pollution (CSPP). Earlier this year, at the Black Hat DC 2010 Conference, two Spanish security researchers, Jose Palazon and Chema Alonso, unveiled a new class of security vulnerabilities, which target insecure dynamic connections between web applications and databases. The attack called Connection String Parameter Pollution (CSPP) exploits specifically the semicolon delimited database connection strings that are constructed dynamically based on the user inputs from web applications. CSPP, if carried out successfully, can be used to steal user identities and hijack web credentials. CSPP is a high risk attack because of the relative ease with which it can be carried out (low access complexity) and the potential results it can have (high impact). In today's blog, we are going to first look at what connection strings are and then review the different ways connection string injections can be leveraged by malicious hackers. We will then discuss how CSPP differs from traditional connection string injection, and the measures organizations can take to prevent this kind of attacks. In web applications, a connection string is a set of values that specifies information to connect to backend data repositories, in most cases, databases. The connection string is passed to a provider or driver to initiate a connection. Vendors or manufacturers write their own providers for different databases. Since there are many different providers and each provider has multiple ways to make a connection, there are many different ways to write a connection string. Here are some examples of connection strings from Oracle Data Provider for .Net/ODP.Net: Oracle Data Provider for .Net / ODP.Net; Manufacturer: Oracle; Type: .NET Framework Class Library: - Using TNS Data Source = orcl; User ID = myUsername; Password = myPassword; - Using integrated security Data Source = orcl; Integrated Security = SSPI; - Using the Easy Connect Naming Method Data Source = username/password@//myserver:1521/my.server.com - Specifying Pooling parameters Data Source=myOracleDB; User Id=myUsername; Password=myPassword; Min Pool Size=10; Connection Lifetime=120; Connection Timeout=60; Incr Pool Size=5; Decr Pool Size=2; There are many variations of the connection strings, but the majority of connection strings are key value pairs delimited by semicolons. Attacks on connection strings are not new (see for example, this SANS White Paper on Securing SQL Connection String). Connection strings are vulnerable to injection attacks when dynamic string concatenation is used to build connection strings based on user input. When the user input is not validated or filtered, and malicious text or characters are not properly escaped, an attacker can potentially access sensitive data or resources. For a number of years now, vendors, including Oracle, have created connection string builder class tools to help developers generate valid connection strings and potentially prevent this kind of vulnerability. Unfortunately, not all application developers use these utilities because they are not aware of the danger posed by this kind of attacks. So how are Connection String parameter Pollution (CSPP) attacks different from traditional Connection String Injection attacks? First, let's look at what parameter pollution attacks are. Parameter pollution is a technique, which typically involves appending repeating parameters to the request strings to attack the receiving end. Much of the public attention around parameter pollution was initiated as a result of a presentation on HTTP Parameter Pollution attacks by Stefano Di Paola and Luca Carettoni delivered at the 2009 Appsec OWASP Conference in Poland. In HTTP Parameter Pollution attacks, an attacker submits additional parameters in HTTP GET/POST to a web application, and if these parameters have the same name as an existing parameter, the web application may react in different ways depends on how the web application and web server deal with multiple parameters with the same name. When applied to connections strings, the rule for the majority of database providers is the "last one wins" algorithm. If a KEYWORD=VALUE pair occurs more than once in the connection string, the value associated with the LAST occurrence is used. This opens the door to some serious attacks. By way of example, in a web application, a user enters username and password; a subsequent connection string is generated to connect to the back end database. Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; In the password field, if the attacker enters "xxx; Integrated Security = true", the connection string becomes, Data Source = myDataSource; Initial Catalog = db; Integrated Security = no; User ID = myUsername; Password = XXX; Intergrated Security = true; Under the "last one wins" principle, the web application will then try to connect to the database using the operating system account under which the application is running to bypass normal authentication. CSPP poses serious risks for unprepared organizations. It can be particularly dangerous if an Enterprise Systems Management web front-end is compromised, because attackers can then gain access to control panels to configure databases, systems accounts, etc. Fortunately, organizations can take steps to prevent this kind of attacks. CSPP falls into the Injection category of attacks like Cross Site Scripting or SQL Injection, which are made possible when inputs from users are not properly escaped or sanitized. Escaping is a technique used to ensure that characters (mostly from user inputs) are treated as data, not as characters, that is relevant to the interpreter's parser. Software developers need to become aware of the danger of these attacks and learn about the defenses mechanism they need to introduce in their code. As well, software vendors need to provide templates or classes to facilitate coding and eliminate developers' guesswork for protecting against such vulnerabilities. Oracle has introduced the OracleConnectionStringBuilder class in Oracle Data Provider for .NET. Using this class, developers can employ a configuration file to provide the connection string and/or dynamically set the values through key/value pairs. It makes creating connection strings less error-prone and easier to manager, and ultimately using the OracleConnectionStringBuilder class provides better security against injection into connection strings.