Re: cpu patch

This really depends on the kind of vulnerabilities the patches fix IMHO -- which varies between each one of them. Consider this for example:

• Your hacker has access to an account in your "non-critical" DB
• There's an unpatched vulnerability that lets authenticated users gain DBA privileges
• He gains those privileges in your "non-critical" DB.
• He can now do whatever the oracle user on that system can do
• For example, update $HOME/.ssh/authorized_keys with his own key
• He then has shell access (and if your OS is as poorly patched as your database, he'll soon have root as well)
• It's then easy to capture other valuable information, such as password laying around in scripts, or do many naugthy things
• And perhaps your environment has a few (or even just 1) sys password
• And he will very soon have access to the oracle user on different servers (including your more "critical" ones).

Just some random thought, I'm sure others have other ideas ;-)

Stefan

Stefan P Knecht
CEO & Founder
s_at_10046.ch

10046 Consulting GmbH
Schwarzackerstrasse 29
CH-8304 Wallisellen
Switzerland

Phone +41-(0)8400-10046
Cell +41 (0) 79 571 36 27
info_at_10046.ch
http://www.10046.ch

On Fri, Sep 11, 2009 at 6:38 PM, Joan Hsieh <joan.hsieh_at_tufts.edu> wrote:

> Hi Listers,
>
> I have one question regarding the cpu patch. We have some databases which
> are not data sensitive at all. For example, like scheduling, web. etc. I am
> wondering if cpu patch is necesscery to patch every quarterly on these
> servers. Is there any security concern that hackers can hack other important
> databases( like FM, HR) via these databases. All the databases share the
> same tnsnames.ora on the share drive.
>
> Thanks,
>
> Joan
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l