Red-Database-Security GmbH Oracle Security Advisory Name Oracle 9i / 10g Fine Grained Auditing Issue Systems Affected Oracle Database 9i / 10g Severity Medium Risk Category FGA Auditing disabled Vendor URL http://www.oracle.com Author Alexander Kornbrust (ak at red-database-security.com) Date 03 May 2005 (V 1.00) Description ########### Fine grained audit (FGA) is disabled for all users if the user SYS runs a SELECT statement on a FGA object. This issue is not related to the Oracle Critical Patch Update 2005. Workarounds ########### Do not run SQL for FGA objects as user SYS. Flush the shared pool (or restart the database) to activate auditing again. More details including testcase available: ########################################## http://www.red-database-security.com/advisory/oracle-fine-grained-auditing-issue.html Patch Information ################# This information has been public for months but Oracle never released a security alert for this issue. Applying patchset 10.1.0.4 is fixing this issue for Oracle 10g. Oracle 9i is still vulnerable. History: ######## 17 February 2004 Oracle logged and published this bug in Metalink (Bugid: 3450991) 28 March 2005 Oracle released patchset 10.1.0.4 (Information included in the patchset details) About Red-Database-Security GmbH ################################# Red-Database-Security GmbH is a specialist in Oracle Security. http://www.red-database-security.com
