Security Alert # 68

As luck would have it we run 9.2.0.4 on Windows servers for which there is no patch!

We have to patch to 9.2.0.5 but as the systems are closed and validated systems there'll be much revalidation and weeping and gnashing of teeth.

So ... so that I can convince management - can anyone give me some outline of the security risk if left unpatched? There's no real detail on Metalink - just a strong advisory statement to apply the patches. I know what the MD will say: "Can we risk it?" and without some detail on the risk I can't advise him.

Hi Jmac,

Have you checked out doc 281188.1

It gives brief details on the possible exploits.

Personally I copied it to the security manager who went green and then a very attractive shade of purple!

We have the same problem. I even have 8 apps running against 8.1.7.0 which the owning "DBA" said he'd always ignored the patch alerts!!

I now have 14 servers to upgrade before even starting to apply patches and thats if the version is even supported by the application vendors...... .

I guess it depends on the kind of site you're at. If there's plenty of external access, I'd say it was a must!

Good luck

Nick

Thanks Nick.
Wish I had a security manager who'd make decisions like that!

Is it just me?

Can't seem to find any detail of the risk in that Note. What exactly should I be looking at?

John

Quote:

---

Originally posted by JMac
Is it just me?

Can't seem to find any detail of the risk in that Note. What exactly should I be looking at?

John

---

They only updated the documents as recently as yesterday. Give it sometime. Hopefully they'll add some level of detail to it. I haven't looked at the individual patch readme documents for other OSes (besides Windows) yet. I'm *guessing* that'll have more detail..

The patch read mes don't help either. The patches claim to fix bugs 3811906, 3828166, and 3838197. But the bug details aren't available yet! Guess the best bet is to wait a bit.

This is what Oracle support has to say

"It is my understanding that the alert is in the process of being rewritten. We are receiving many tars asking what it fixes. Unfortunately, we in support don't know anything more than what the alert says. I can't answer the question at this time."

I got the same response as ard_jen.

Seems like a number of people are having trouble installing the patches anyway.

It's pretty poor since there is only limited detail. Everything on the metalink forumns seems to be going unanswered by Oracle.

Jmac, I told you that note was brief :)

I'm rapidly moving to the view, that we hold off until we get something more substantial from Larry's boys. Probably still have to upgrade the 8.1.7.0 DBMSs though.

Cheers

Nick

Quote:

---

Originally posted by Axr2
They only updated the documents as recently as yesterday. Give it sometime.

---

My supposition is that they avoided publishing a "hacker's handbook" before the fixes were available. If I were running a server with some degree of external access, I'd be testing patches now, so that I could get them into production fast the moment the vulnerabilities were published.

follow the link.

http://www.appsecinc.com/resources/a...cle/2004-0001/

Computerworld ran an article a month ago that talks a little more about the vulnerabilities. It gives a "bit" more information.

ComputerWorld

Quick bounce as I notice Oracle have updated note 281189.1 with completion dates for 9.2.0.4 on windows. Due some time this month.

Cheers.

Nick

What you guys think of the Vulnerabilities listed in the link below?

http://www.appsecinc.com/resources/...acle/2004-0001/

Would I be correct to assume that Oracle will not develop patches to fix any "Desupported" versions?

Quote:

---

Originally posted by rad_jen
What you guys think of the Vulnerabilities listed in the link below?

http://www.appsecinc.com/resources/...acle/2004-0001/

---

Are these all vulnerabilities?

Quote:

---

Originally posted by julian
Are these all vulnerabilities?

---

It states that those are only "....vulnerabilities researched and discovered by Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc.". There are plenty of other vulnerabilities discovered and reported by other sources.

Quote:

---

Originally posted by jmodic
There are plenty of other vulnerabilities discovered and reported by other sources.

---

URL?

http://www.oradbway.com/php_nuke/mod...rder=0&thold=0

Quote:

---

Originally posted by pando
http://www.oradbway.com/php_nuke/mod...rder=0&thold=0

---

About the "other" vulnerabilities. These links are very general.

I'm not sure what would you realy like to have. You asked if there are any other vulnerabilities beside those reported by Appsecinc and you were told there are plenty of others. You asked for URL and Pando have provided you four other URLs on this subject. Now you object that they are "too general". What kind of details do you want? If you have followed some of those URLs you would have found out that it is a common practice among those researchers that they do not publish any datils about security vulnerabilities findings, at least not until the patches are available. The reason for that is very obvious.

David Litchfield alone has reported the finding of 34 different vulnerabilities in Oracles database software - he reported them to Oracle and provided no further details about those flaws to general public.

In one of Pando's URLS you can find the following:

Quote:

---

.... NGSSoftware are going to withhold details about these flaws for three months. Full details will be published on the 31st of November 2004. This three month window will allow Oracle database administrators the time needed to test and apply the patch set before the details are released to the general public. This reflects NGSSoftware's new approach to responsible disclosure.

---

Bottomline:
Q: "Are there any other known vulnerabilities?"
A: "Yes. Yes. Yes."
Q: "Can you give more details about them?"
A: a) "GIYF"; b) "You would probably have to press on Oracle to publish some more details about them."

not sure what are you looking for

Quote:

---

Originally posted by jmodic
I'm not sure what would you realy like to have. You asked if there are any other vulnerabilities beside those reported by Appsecinc and you were told there are plenty of others. You asked for URL and Pando have provided you four other URLs on this subject. Now you object that they are "too general". What kind of details do you want? If you have followed some of those URLs you would have found out that it is a common practice among those researchers that they do not publish any datils about security vulnerabilities findings, at least not until the patches are available. The reason for that is very obvious.

David Litchfield alone has reported the finding of 34 different vulnerabilities in Oracles database software - he reported them to Oracle and provided no further details about those flaws to general public.

In one of Pando's URLS you can find the following:

Bottomline:
Q: "Are there any other known vulnerabilities?"
A: "Yes. Yes. Yes."
Q: "Can you give more details about them?"
A: a) "GIYF"; b) "You would probably have to press on Oracle to publish some more details about them."

---

Thanks for the detailed answer.

I am looking for *all* the vulnerabilities. The complete list. I know I am fishing. Just asking here if you know of an URL listing them all.

And what would be the use... if you know the list of vulnerabilities this security alert?

Quote:

---

Originally posted by pando
And what would be the use... if you know the list of vulnerabilities this security alert?

---

Forget it ...

Hello

Can some one tell me how do i check if http server is installed in database (unix server), i known running installer is one way but i am interested if any view/table in database from where i can get this info.

If you do not have http server install/owa packages as stated in patch readme file , do you still need to install 2nd patch.

thanks

Satish