Re: cpu patch

From: Stefan Knecht <>
Date: Fri, 11 Sep 2009 19:20:49 +0200
Message-ID: <>

Hi Joan

This really depends on the kind of vulnerabilities the patches fix IMHO -- which varies between each one of them. Consider this for example:

  • Your hacker has access to an account in your "non-critical" DB
  • There's an unpatched vulnerability that lets authenticated users gain DBA privileges
  • He gains those privileges in your "non-critical" DB.
  • He can now do whatever the oracle user on that system can do
  • For example, update $HOME/.ssh/authorized_keys with his own key
  • He then has shell access (and if your OS is as poorly patched as your database, he'll soon have root as well)
  • It's then easy to capture other valuable information, such as password laying around in scripts, or do many naugthy things
  • And perhaps your environment has a few (or even just 1) sys password
  • And he will very soon have access to the oracle user on different servers (including your more "critical" ones).

Just some random thought, I'm sure others have other ideas ;-)


Stefan P Knecht
CEO & Founder

10046 Consulting GmbH
Schwarzackerstrasse 29
CH-8304 Wallisellen

Phone +41-(0)8400-10046
Cell +41 (0) 79 571 36 27

On Fri, Sep 11, 2009 at 6:38 PM, Joan Hsieh <> wrote:

> Hi Listers,
> I have one question regarding the cpu patch. We have some databases which
> are not data sensitive at all. For example, like scheduling, web. etc. I am
> wondering if cpu patch is necesscery to patch every quarterly on these
> servers. Is there any security concern that hackers can hack other important
> databases( like FM, HR) via these databases. All the databases share the
> same tnsnames.ora on the share drive.
> Thanks,
> Joan
> --

Received on Fri Sep 11 2009 - 12:20:49 CDT

Original text of this message