Oracle SCN Bug Revealed CPU Jan 2012 to Address It
-
Posted by Quest Customer Learning Team
- Last updated 10/13/19
- Share
http://www.infoworld.com/d/security/revealed-fundamental-oracle-flaw-184163?page=0,0
< from the InfoWorld article>
The heart of the matter
At the core of the issue is the System Change Number (SCN) in Oracle. This is a number that increments sequentially with every database commit: inserts, updates, and deletes. The SCN is also incremented through linked database interactions.
The SCN is crucial to normal Oracle database operation. The SCN “time stamp” is the key to maintaining data consistency in Oracle, allowing the database to respond to every user’s query with the appropriate version of data at every point in time. It functions as the database’s clock, so to speak. And like time, the SCN cannot decrement. It must always tick forward.
When Oracle databases link to each other, maintaining data consistency requires them to synchronize to a common SCN. This is necessarily the highest SCN carried by any participating Oracle database instance because the SCN clock cannot run backward — so database linking causes the SCN in many databases to jump during normal operations. And only very basic permissions are required to make a connection that can cause one database to increment the SCN on another.
The architects of Oracle’s flagship database application must have been well aware the SCN needed to be a massive integer. It is: a 48-bit number (281,474,976,710,656). It would take eons for an Oracle database to eclipse that number of transactions and cause problems — or so you might think.
</end article>
Link to Oracle Critical Patch Update (Jan 2012):
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html