Re: cpu patch
Date: Fri, 11 Sep 2009 19:20:49 +0200
Message-ID: <486b2b610909111020x6b4b6e11p154e4bb7745df47b_at_mail.gmail.com>
Hi Joan
This really depends on the kind of vulnerabilities the patches fix IMHO -- which varies between each one of them. Consider this for example:
- Your hacker has access to an account in your "non-critical" DB
- There's an unpatched vulnerability that lets authenticated users gain DBA privileges
- He gains those privileges in your "non-critical" DB.
- He can now do whatever the oracle user on that system can do
- For example, update $HOME/.ssh/authorized_keys with his own key
- He then has shell access (and if your OS is as poorly patched as your database, he'll soon have root as well)
- It's then easy to capture other valuable information, such as password laying around in scripts, or do many naugthy things
- And perhaps your environment has a few (or even just 1) sys password
- And he will very soon have access to the oracle user on different servers (including your more "critical" ones).
Just some random thought, I'm sure others have other ideas ;-)
Stefan
Stefan P Knecht
CEO & Founder
s_at_10046.ch
10046 Consulting GmbH
Schwarzackerstrasse 29
CH-8304 Wallisellen
Switzerland
Phone +41-(0)8400-10046
Cell +41 (0) 79 571 36 27
info_at_10046.ch
http://www.10046.ch
On Fri, Sep 11, 2009 at 6:38 PM, Joan Hsieh <joan.hsieh_at_tufts.edu> wrote:
> Hi Listers,
>
> I have one question regarding the cpu patch. We have some databases which
> are not data sensitive at all. For example, like scheduling, web. etc. I am
> wondering if cpu patch is necesscery to patch every quarterly on these
> servers. Is there any security concern that hackers can hack other important
> databases( like FM, HR) via these databases. All the databases share the
> same tnsnames.ora on the share drive.
>
> Thanks,
>
> Joan
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Fri Sep 11 2009 - 12:20:49 CDT