Fundamental Oracle flaw revealed

Ojha continues: "If this occurs, even though its probability is low, the potential [financial] loss ... is very high." By definition, he said, the problem has the potential to affect only large Oracle customers. But "once the SCN limit is reached, there is no easy way to get out of the problem, other than shutting down all databases and rebuilding databases from scratch."

Anton Nielsen, the president of C2 Consulting and an Oracle expert, focused on the potential risk of malicious attack using an elevated SCN: "In theory, the elevated SCN attack is similar to a DoS attack in two significant ways: It can bring a system to its knees, rendering it inoperable for a significant period of time, and it can be accomplished by a user with limited permissions. While a DoS can be perpetrated by anyone with network access to a Web server, however, the elevated SCN requires a database username and password with the ability to connect."

The Oracle reactionWhen we first contacted Oracle about the SCN issue, Mark Townsend, vice president of database product management, offered this reaction to our discovery of a low-privilege method to arbitrarily increase the SCN: "The way that you're putting these [issues] together is nothing that we've seen ... we need to understand what it is that you're doing to raise the SCN by trillions. Obviously I need to have some time to have the dev people look at that. "

After much discussion and exchange of technical data, Oracle acknowledged that there were ways to increase the SCN at will. Referring to one method, Townsend said, "This is an undocumented, hidden parameter, so it was never intended for customers to discover and use this."

However, we pointed out that there were several other methods that could be used; we sent those to Oracle as well.