Security Alert # 68
DBAsupport.com Forums - Powered by vBulletin
Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Security Alert # 68

  1. #1
    Join Date
    Jan 2000
    Location
    Chester, England.
    Posts
    818

    Security Alert # 68

    As luck would have it we run 9.2.0.4 on Windows servers for which there is no patch!

    We have to patch to 9.2.0.5 but as the systems are closed and validated systems there'll be much revalidation and weeping and gnashing of teeth.

    So ... so that I can convince management - can anyone give me some outline of the security risk if left unpatched? There's no real detail on Metalink - just a strong advisory statement to apply the patches. I know what the MD will say: "Can we risk it?" and without some detail on the risk I can't advise him.

  2. #2
    Join Date
    May 2002
    Location
    Western Australia
    Posts
    233
    Hi Jmac,

    Have you checked out doc 281188.1

    It gives brief details on the possible exploits.

    Personally I copied it to the security manager who went green and then a very attractive shade of purple!

    We have the same problem. I even have 8 apps running against 8.1.7.0 which the owning "DBA" said he'd always ignored the patch alerts!!

    I now have 14 servers to upgrade before even starting to apply patches and thats if the version is even supported by the application vendors...... .

    I guess it depends on the kind of site you're at. If there's plenty of external access, I'd say it was a must!

    Good luck

    Nick

  3. #3
    Join Date
    Jan 2000
    Location
    Chester, England.
    Posts
    818
    Thanks Nick.
    Wish I had a security manager who'd make decisions like that!

  4. #4
    Join Date
    Jan 2000
    Location
    Chester, England.
    Posts
    818
    Is it just me?

    Can't seem to find any detail of the risk in that Note. What exactly should I be looking at?

    John

  5. #5
    Join Date
    Oct 2002
    Posts
    807
    Originally posted by JMac
    Is it just me?

    Can't seem to find any detail of the risk in that Note. What exactly should I be looking at?

    John
    They only updated the documents as recently as yesterday. Give it sometime. Hopefully they'll add some level of detail to it. I haven't looked at the individual patch readme documents for other OSes (besides Windows) yet. I'm *guessing* that'll have more detail..

  6. #6
    Join Date
    Oct 2002
    Posts
    807
    The patch read mes don't help either. The patches claim to fix bugs 3811906, 3828166, and 3838197. But the bug details aren't available yet! Guess the best bet is to wait a bit.

  7. #7
    Join Date
    May 2001
    Posts
    73

    Oracle support reply

    This is what Oracle support has to say

    "It is my understanding that the alert is in the process of being rewritten. We are receiving many tars asking what it fixes. Unfortunately, we in support don't know anything more than what the alert says. I can't answer the question at this time."
    OCP 7.3,8.0,8i,9i

  8. #8
    Join Date
    May 2002
    Location
    Western Australia
    Posts
    233
    I got the same response as ard_jen.

    Seems like a number of people are having trouble installing the patches anyway.

    It's pretty poor since there is only limited detail. Everything on the metalink forumns seems to be going unanswered by Oracle.

    Jmac, I told you that note was brief

    I'm rapidly moving to the view, that we hold off until we get something more substantial from Larry's boys. Probably still have to upgrade the 8.1.7.0 DBMSs though.

    Cheers

    Nick

  9. #9
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Originally posted by Axr2
    They only updated the documents as recently as yesterday. Give it sometime.
    My supposition is that they avoided publishing a "hacker's handbook" before the fixes were available. If I were running a server with some degree of external access, I'd be testing patches now, so that I could get them into production fast the moment the vulnerabilities were published.

  10. #10
    Join Date
    May 2001
    Posts
    73

    list of vulnerabilities

    OCP 7.3,8.0,8i,9i

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width