Full Disclosure mailing list archives
Oracle 9i / 10g Fine Grained Auditing Issue
From: "Kornbrust, Alexander" <ak () red-database-security com>
Date: Thu, 5 May 2005 13:06:20 +0200
Red-Database-Security GmbH Oracle Security Advisory Name Oracle 9i / 10g Fine Grained Auditing Issue Systems Affected Oracle Database 9i / 10g Severity Medium Risk Category FGA Auditing disabled Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date 03 May 2005 (V 1.00) VU# 777773 Description ########### Fine grained audit (FGA) is disabled for all users if the user SYS runs a SELECT statement on a FGA object. This issue is not related to the Oracle Critical Patch Update 2005. Workarounds ########### Do not run SQL for FGA objects as user SYS. Flush the shared pool (or restart the database) to activate auditing again. More details including test case available: ########################################## http://www.red-database-security.com/advisory/oracle-fine-grained-auditi ng-issue.html Patch Information ################# This information has been public for months but Oracle never released a security alert for this issue. Applying patchset 10.1.0.4 is fixing this issue for Oracle 10g. Oracle 9i is still vulnerable. History: ######## 17 February 2004 Oracle logged and published this bug in Metalink (Bugid: 3450991) 28 March 2005 Oracle released patchset 10.1.0.4 (Information included in the patchset details) About Red-Database-Security GmbH ################################# Red-Database-Security GmbH is a specialist in Oracle Security. http://www.red-database-security.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Oracle 9i / 10g Fine Grained Auditing Issue Kornbrust, Alexander (May 05)