Advisory for Oracle CPU October 2008 - APEX FLOWS excessive privileges ====================================================================== See http://www.petefinnigan.com/Advisory_CPU_Oct_2008.htm for details Description ----------- Oracle Appication Express (APEX) is a rapid development tool for developing web based ineterfaces and applications that run against an Oracle database. APEX is operated from a web browser and allows people with limited programming experience to develop professional applications. The issue located by PeteFinnigan.com Limited relates to excessive privileges assigned to the FLOWS database schema/user account. Risk ---- If the APEX schemas exist then the risk is still present without application of the patch. The risk increases if the schema is accessible due to a weak password or an additional attack vectors that allows code to run as the APEX FLOWS account. Access to the schema, either directly or indirectly are required to exploit this issue. Note that normally the password for this account in a default installation is random and complex. Workaround ---------- If APEX is not used in the database then it can be removed by dropping the FLOWS schemas and removing the APEX functionallity. Patch Information ----------------- PeteFinnigan.com Limited advises customers to apply the January 2008 CPU patch as soon as is practical. See Oracle's advisory for details of the patch availability matrix. Credit ------ Pete Finnigan of PeteFinnigan.com Limited discovered this vulnerability. cheers Pete -- Pete Finnigan Principal Consultant PeteFinnigan.com Limited Registered in England and Wales Company No: 4664901 Specialists in database security. If you need help to audit or secure an Oracle database, please ask for details of our courses and consulting services Phone: 0044 (0)1904 791188 Fax : 0044 (0)1904 791188 Mob : 0044 (0)7742 114223 email: pete@xxxxxxxxxxxxxxxx site : http://www.petefinnigan.com Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise.