Oracle’s “Security Alert Advisory for CVE-2012-3132” issued a warning about an attack vector that once again was discovered by security expert David Litchfield. The vulnerability allows to execute SQL code with SYS privileges by using object names containing quotation marks, if the attacker
- has authorized access to the database,
- has CREATE TABLE and CREATE PROCEDURE privileges and
- is allowed to execute DBMS_STATS.
A fix for this issue was published in July 2012 but there’s also Oracle’s advisory on how to cope with the threat without patching the RDBMS. This recommendation, however, has implications when such a database is recovered or cloned:
It was recommended to create a before-DDL-trigger that checks object names in the DDL code and throws an error if quotes are contained in object names. If you use the code provided in the advisory, you get a
- Before-DDL-Trigger named SYS.NAMECHECK_BEFORE_DDL_DB_TRG, calling a
- Package SYS.NAME_SECURITY.
After recovering or cloning a database containing this trigger, the following error may occur:
-- after running: CREATE CONTROLFILE -- ALTER DATABASE OPEN RESETLOGS; SQL> ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G; ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1 ORA-25153: Temporary Tablespace is Empty ORA-06512: at "SYS.NAME_SECURITY", line 166 ORA-06512: at line 2
This is where the cat bites its own tail: To execute the trigger or the package, a temporary tablespace is required. But immediately after recovery, temp tablespaces aren’t yet available because their tempfiles aren’t yet re-created. Automatic clones and RMAN recovery script will fail in such a setup!
To get around this issue, disable the trigger temporarily:
alter trigger SYS.NAMECHECK_BEFORE_DDL_DB_TRG disable; ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G; alter trigger SYS.NAMECHECK_BEFORE_DDL_DB_TRG enable;
This, of course, is just a workaround for this issue; to be able to run existing recovery scripts completely again, it is better to apply the recommended patch. A DDL-trigger isn’t necessary with this patch, as the exploit is no longer possible.
Generally speaking, any DDL- and System-Event-Triggers can cause this error scenario. If this specific trigger-/package-combination isn’t deployed on your database, but the error still occurs, disabling all system triggers will be a remedy:
-- Disallow execution of any system trigger: ALTER SYSTEM SET "_system_trig_enabled" = FALSE; ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G; ALTER SYSTEM SET "_system_trig_enabled" = TRUE;
- CTXSYS.CONTEXT Privilege Escalation, short description of the threat
- Oracle Technet: Security Alert Advisory for CVE-2012-3132
- Oracle Support Note 1482694.1: Mitigation steps for CVE-2012-3132
- Oracle Support Note 1480492.1: Patch availability for this threat