Critical Oracle Database Bug - System Change Number (SCN) (CVE-2012-0082)

InfoWorld magazine today published detailed information regarding Oracle Database security bug CVE-2012-0082, which has associated fixes in the Oracle's January 2012 Critical Patch Update.  This security vulnerability specifically relates to the Oracle System Change Number (SCN) and ways to increase the SCN beyond the current maximum value (SCN Headroom or Maximum Reasonable SCN) in order to stop processing of database transactions. 

Where this vulnerability gets interesting is that the SCN is synchronized to the highest SCN when two databases are connected via a database link.  Therefore, it is possible to increase a database to the near maximum SCN through a database link, which will cascade through to all other interconnected databases.  The result can be ORA-600 errors and potentially database crashes on the database with the lower SCN.

This vulnerability appears to have been discovered as the result of a bug in RMAN which can cause the SCN to reach current maximum SCN value and a change in the way the Maximum Reasonable SCN is calculated in 11.2.0.2.  The 11.2.0.2 change appears to have impacted or crashed at least a hundred databases at a very large Oracle customer.

As this vulnerability will get significant press, we foresee an "arms race" ensuing with release of different methods to maliciously increment the current SCN and techniques to perform database denial of services attacks related to the SCN.

Integrigy will be publishing in the near future our analysis of the impact of this vulnerability along with recommendations on mitigating the risk in your organization.

Oracle has published more information regarding SCNs and potential impact in a My Oracle Support (MOS) note (requires My Oracle Support access) -

Information on the System Change Number (SCN) and how it is used in the Oracle Database [ID 1376995.1]