ISS X-Force Database: oracle-audit-data-manipulation(20407): Oracle Database Server Fine Grained Audit data manipulation

Oracle Database Server Fine Grained Audit data manipulation

oracle-audit-data-manipulation (20407)

Medium Risk

Description:

Oracle Database Server could allow a remote attacker to disable the Fine Grained Audit (FGA) option. If the SYS user runs a SELECT statement within a table, the statement will not be audited, and no other SELECTs within the table that are used by others will be audited. A remote attacker could exploit this vulnerability and use the database without the risk of generating an audit trail.

Consequences:

Data Manipulation

Remedy:

For Oracle9i:
No remedy available as of July 2007.

For Oracle 10g:
Apply the patchset 10.1.0.4, available from the Oracle Database Server Patch Sets Web page. See References..

References:

Full-Disclosure Mailing List, Thu May 05 2005 - 06:06:20 CDT: Oracle 9i / 10g Fine Grained Auditing Issue.
Oracle Database Documentation Library: Oracle Database ONline Documentation 10g Release 1 (10.1).
Oracle Database Server Patch Sets Web page: Oracle Database Server Patch Sets.
Oracle Database Web page: Oracle Database.
Red Database Security VU#3777773: Oracle Fine Grained Auditing Issue.
BID-13510: Oracle 9i/10g Database Fine Grained Audit Logging Failure Vulnerability
BID-16258: AmbiCom Blue Neighbors Bluetooth Stack Object Push Buffer Overflow Vulnerability
CVE-2005-1495: Oracle Database 9i and 10g disables Fine Grained Audit (FGA) after the SYS user executes a SELECT statement on an FGA object, which makes it easier for attackers to escape detection.

Platforms Affected:

Oracle Database Server 10.1.0.2
Oracle Database Server 10.1.0.3
Oracle Database Server 10.1.0.3.1
Oracle Database Server 10g
Oracle Database Server 9.0
Oracle Database Server 9.0.1
Oracle Database Server 9.0.1.2
Oracle Database Server 9.0.1.3
Oracle Database Server 9.0.1.4
Oracle Database Server 9.0.2
Oracle Database Server 9.2.0.1
Oracle Database Server 9.2.0.2
Oracle Database Server 9.2.1 R2
Oracle Database Server 9.2.2 R2

Reported:

May 02, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page