1 Reply Latest reply on Aug 14, 2013 11:51 PM by zsysdba

    CVE-2013-3751 and Instant Client 11.2.0.3

    zsysdba

      The README for the July 2013 Database GI Patch Set Update mentions Instant Client Installations needing Database PSU 11.2.0.3.7 to address CVE-2013-3751. Further details on the CVE at http://www.oracle.com/technetwork/topics/security/cpujuly2013verbose-1899830.html#DB say “Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. “  The Patch README references the Oracle Call Interface Programmer’s Guide and in there I found this relevant section http://docs.oracle.com/cd/E11882_01/appdev.112/e10646/oci01int.htm#autoId37 

       

      That document spells out the steps required create Instant Client zip or RPM files.  That’s great, but here at my company we haven’t gone through these steps in the past.  We simply go to the appropriate page on oracle.com ( Instant Client Downloads ) and download what we need.

        

      I’m assuming the vulnerable file is in the “basic” package.  I looked at linux x64 zip today and it has not been updated.

      unzip -l instantclient-basic-linux.x64-11.2.0.3.0.zip

      Archive:  instantclient-basic-linux.x64-11.2.0.3.0.zip

        Length Date    Time    Name

      ---------  ---------- -----   ----

            437 09-17-2011 09:08 instantclient_11_2/BASIC_README

          25308 09-17-2011 09:08 instantclient_11_2/adrci

          46228 09-17-2011 09:08 instantclient_11_2/genezi

      52761218 09-17-2011 09:08 instantclient_11_2/libclntsh.so.11.1

        7955322 09-17-2011 09:08 instantclient_11_2/libnnz11.so

        1971762 09-17-2011 09:08 instantclient_11_2/libocci.so.11.1

      118408281 09-17-2011 09:08 instantclient_11_2/libociei.so

         164836 09-17-2011 09:08 instantclient_11_2/libocijdbc11.so

        2095661 09-17-2011 09:08 instantclient_11_2/ojdbc5.jar

        2714016 09-17-2011 09:08 instantclient_11_2/ojdbc6.jar

         191237 09-17-2011 09:08 instantclient_11_2/uidrvci

          66779 09-17-2011 09:08 instantclient_11_2/xstreams.jar

      ---------                     -------

      186401085                     12 files

       

      I have 2 questions.

       

      Q1. If I apply only the database server home patch, will my database server still be vulnerable to takeover if the unpatched Oracle Instant Client from oracle.com is left out on my various app servers?

      Q2. Is there any effort planned at Oracle to replace the vulnerable versions of Instant Client posted on oracle.com with updated versions no longer vulnerable?