In my previous blog, I tried to explain why the fundamental Oracle flaw is dangerous. On the other hand, in my tests I couldn’t find a way to pass a higher SCN to a target DB to crash it. Since then, I’m trying to verify that this flaw can be can exploited. Here’s a short video of one of my tests:
InfoWorld magazine published an detailed article regarding Oracle Database security flaw yesterday. InfoWorld says Oracle requested them to hold the story until they release a patch for the flaw. The flaw is related with System Change Number (SCN). If SCN is increased beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN), database gives ORA-600 errors and crashes.
As we know, the System Change Number (SCN) is a number that increments sequentially with every database commit (inserts, updates, and deletes), and usually it’s not possible to reach the maximum value. The biggest problem is the SCN is also incremented through linked database interactions.
As I see, most Oracle experts do not realize the importance of this security threat. Some people even say that the Oracle SCN issue is a storm in a teacup. I think they miss that it’s possible to increase the SCN intentionally and use database links to exploit the bug. So let’s create a storm in a teacup 🙂 I should remind you that I will not take any responsibility if you mess up your databases. Just read the blog, do not test it on your systems.