Friday, May 12, 2006

Oracle ANSI join security bug. Bad news again.

Trying to figure out a workaround, I have found that these DMLs that break authorization, also can not be AUDIT TRAILED.

1 Comments:

Blogger Andrew Max said...

Hi Mark,

Agree with you – I observed the same issue with audit trail days ago. And, as you probably noticed, Oracle flatly refuses to audit those DML statements for any user, no matter if he has required modification privileges.

I still have my “severity 1” TAR open, and recently I notified Oracle Support about this and some other side-effects of original problem.

Though I discovered some new side-effects of that security hole in Oracle, I have decided not to publish this kind of information anymore because things are too serious to fiddle with them. Maybe you won’t agree with me, but I think that publishing any extra information is not for better in this situation.

In any case, I appreciate that you are treating this issue with high confidence, thank you for your understanding in this regard.

My sincere respect,
Andrew Max.

1:56 PM  

Post a Comment

<< Home