Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> Re: cpujan2006 client issues
I look at it differently.
Say I have one or two large clustered database servers hosting 8 to 10
databases.
I also have say 25 to 30 application servers (WebMethods, Portals, etc
various applications). [some or dual-installations for "HA" with Load
Balancers etc]
Sometime in the past I had done those 25 to 30 Oracle Client installs [Custom Installs so as to not include OEM etc but only client libraries, sqlplus , exp/imp if needed, proc*c etc]. Then, [ie 2 years ago or 6 months ago], I had patched those clients to 8.1.7.4 or 9.2.0.5 plus Vul#68 or the Jan05 CPU or whatever.
Those application servers do not have Oracle Databases and only
do SQLNet (OCI) or JDBC connections. So I do not bother about
them anymore. It so happens that those clients run applications
on Port 80 or whatever. The 10 or 30 different Application Administrators
[not me !]
have root or superuser privileges --- "hey these are not the database server"
on some of these machines.
Is DBC02 now open ? Is it a risk now ?
""One vulnerability (DBC02) is in a utility that can be forced to terminate if given long arguments, potentially allowing code of an attacker's choice to be executed. However, this utility is not installed with setuid (elevated) privileges, so the risk that it can be effectively exploited is very low.""
YES it is .
Hemant K Chitale
At 09:27 AM Thursday, Mark Brinsmead wrote:
>Please see comments inline below:
>
>
>Ray Stell wrote:
>
>>1. 343382.1 says, "One vulnerability (DBC02) is in a utility that can
>>be forced to terminate if given long arguments, potentially allowing
>>code of an attacker's choice to be executed. However, this utility is
>>not installed with setuid (elevated) privileges, so the risk that it
>>can be effectively exploited is very low."
>>
>
>This sounds like a pretty fair assessment. So long as the program does
>not run with
>setuid privileges, the risk is only modest. In order to exploit the bug,
>one would have
>to "trick" a user (or program) with "elevated" privileges to invoke the
>affected executable
>on their behalf, supplying very carefully crafted arguments.
>
>Is this a risk? Sure. But not a big one. If I can fool somebody with
>"root" or "oracle"
>privileges to run /bin/sh (or vi, or emacs, or find, or ...) with
>arbitrary parameters that
>I supply, I will pretty much "own" that system. Given that there are
>hundreds (or
>thousands) of programs whose "normal" (and bug-free) operation provides
>this kind
>of "exposure", I don't think I'll lose much sleep over some "bug" that
>provides a
>similar exposure.
Hemant K Chitale
http://web.singnet.com.sg/~hkchital
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Feb 02 2006 - 06:52:16 CST