Oracle database has huge flaw

Oracle’s flagship database software has a major flaw which could create some serious outages.

Oddly the hole has been found by InfoWorld hacks rather than the usual suspects from the security companies.

It came about because of a collection of problems within the database. Normally when bugs result in a database outage, the system can recovered from backups. But these flaws create such a mess it will take ages to fix.

Oracle has admitted that the problem is real and it is spending considerable time and money to monitor, plan, and fix it. It has released a fix as part of its Oracle Critical Patch Update for January 2012.

While an Unpatched Oracle Database customer vulnerable to malicious attack, it is a special risk to large Oracle customers with interconnected databases. The flaws exist in a mechanism deep in the database engine, one that most Oracle DBAs seldom see called the System Change Number (SCN). This is a number that increments sequentially with every database commit: inserts, updates, and deletes and it is crucial to normal Oracle database operation.

Oracle knew that SCN needed to be a massive number and it used a 48-bit number (281,474,976,710,656) and it should take ages for an Oracle database to eclipse that number of transactions and pack a sad.

But the number is worked out very simple calculation anchored to a point in time 24 years ago. You take the number of seconds since 00:00:00 01/01/1988 and multiply that figure by 16,384. The problem is that it is unlikely that a database has been running constantly since 01/01/1988, processing 16,384 transactions per second.

There are a number of flaws which can force a database to go over this number and hackers could exploit it.