Re: security problem with 8i

Jon,
I would tend to agree with you. As long as their data is not externally available, the risk of this type of attack is very low. Most employees are
not foolhardy enough to initiate DOS attacks from their internal LAN's. However if they ever intend to move their system to the internet, VPN, etc.
then they need to keep this info and patch as part of their migration plan.

Rodd

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 7/18/01, 6:45:57 AM, Jon Walthour <jonw_at_fuse.net> wrote regarding Re: security problem with 8i:

> Listers:

> My client has asked me to look into this issue and determine if they
should
> be concerned about it or not. Since they don't have any db's directly
> accessible from the Internet and since their LAN is very secure anyway,
I'm
> inclined to not apply any patches based on the premise that if it isn't a
> necessary patch, don't apply it in fear of breaking something else. What
do
> you think?

> --

> Jon Walthour, OCDBA
> Oracle DBA
> Computer Horizons
> Cincinnati, Ohio

> ----- Original Message -----
> To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
> Sent: Monday, July 09, 2001 1:26 PM

> > Hi All,
> >
> > i am not sure if this has already been posted or not, but......
> >
> > --29 June 2001 Oracle8i Database Buffer Overflow Vulnerability
> > Security experts found and disclosed a pair of vulnerabilities in the
> > standard and enterprise editions of Oracle8i database. The Transport
> > Network Substrate (TNS) Listener has a buffer overflow vulnerability;
> > a flaw in the SQL Net protocol leaves the system vulnerable to
> > denial-of- service attacks. Patches are available.
> >
> > http://www.computerworld.com/storyba/0,4125,NAV47_STO61802,00.html
> >
> > -bill
> >
> > --
> > Please see the official ORACLE-L FAQ: http://www.orafaq.com
> > --
> > Author: Bill Conner
> > INET: bconner_at_verio.net
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >

> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Jon Walthour
> INET: jonw_at_fuse.net

> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Rodd Holman
  INET: rodney.holman_at_lodgenet.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).