Re: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

From: Martin Bach <>
Date: Thu, 25 Feb 2010 21:12:34 +0000
Message-ID: <>

Hi there!

On 24/02/10 17:36, Allen, Brandon wrote:
> Yes, agreed, but Iíd guess thatís a very small minority of all Oracle
> databases, although I have nothing to base that on other than my
> personal experience (Iíve never used XDB). Certainly those who /need/
> Java should have it installed, but I just think it shouldnít be included
> by default.

From my personal experience I can tell you that there are a lot of databases out there that were installed with _all_ possible options installed, regardless of license status. It's just so easy to fire up dbca and click next-next-next and end up having 18 or so lines in dba_server_registry. Not only a licensing problem but can also can cause severe upgrade headaches with entire component groups invalid.

Quite often such databases don't have their dictionaries patched either.... I have to admit though that such environments generally suffered from a lack of attention or even complete absence of the caring hands of a DBA. Packaged applications using Oracle as a backend come to mind .... I predict it won't be long until universities struggle with hacked systems....



Martin Bach
OCM 10g
Received on Thu Feb 25 2010 - 15:12:34 CST

Original text of this message