Security Fix Breaks Recovery

Oracle’s “Security Alert Advisory for CVE-2012-3132” issued a warning about an attack vector that once again was discovered by security expert David Litchfield. The vulnerability allows to execute SQL code with SYS privileges by using object names containing quotation marks, if the attacker

  1. has authorized access to the database,
  2. has CREATE TABLE and CREATE PROCEDURE privileges and
  3. is allowed to execute DBMS_STATS.

A fix for this issue was published in July 2012 but there’s also Oracle’s advisory on how to cope with the threat without patching the RDBMS. This recommendation, however, has implications when such a database is recovered or cloned:

It was recommended to create a before-DDL-trigger that checks object names in the DDL code and throws an error if quotes are contained in object names. If you use the code provided in the advisory, you get a

  • Before-DDL-Trigger named SYS.NAMECHECK_BEFORE_DDL_DB_TRG, calling a
  • Package SYS.NAME_SECURITY.

After recovering or cloning a database containing this trigger, the following error may occur:

-- after running: CREATE CONTROLFILE
-- ALTER DATABASE OPEN RESETLOGS;

SQL> ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G;
ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-25153: Temporary Tablespace is Empty
ORA-06512: at "SYS.NAME_SECURITY", line 166
ORA-06512: at line 2

This is where the cat bites its own tail: To execute the trigger or the package, a temporary tablespace is required. But immediately after recovery, temp tablespaces aren’t yet available because their tempfiles aren’t yet re-created. Automatic clones and RMAN recovery script will fail in such a setup!

To get around this issue, disable the trigger temporarily:

alter trigger SYS.NAMECHECK_BEFORE_DDL_DB_TRG disable;
ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G;
alter trigger SYS.NAMECHECK_BEFORE_DDL_DB_TRG enable;

This, of course, is just a workaround for this issue; to be able to run existing recovery scripts completely again, it is better to apply the recommended patch. A DDL-trigger isn’t necessary with this patch, as the exploit is no longer possible.

Generally speaking, any DDL- and System-Event-Triggers can cause this error scenario. If this specific trigger-/package-combination isn’t deployed on your database, but the error still occurs, disabling all system triggers will be a remedy:

-- Disallow execution of any system trigger:
ALTER SYSTEM SET "_system_trig_enabled" = FALSE;
ALTER TABLESPACE TEMP ADD TEMPFILE '/app/oradata/ORCL/data/temp_01.dbf' SIZE 2G;
ALTER SYSTEM SET "_system_trig_enabled" = TRUE;

Weblinks

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s