Re: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?

From: Andrew Kerber <andrew.kerber_at_gmail.com>
Date: Wed, 13 Jun 2012 14:14:38 -0500
Message-ID: <CAJvnOJYmtn+BT3F1r+D1mmKfOfZJmLoej=8a5+R2nW+piwFUHA_at_mail.gmail.com>

I am in agreement that the actual risk is fairly limited for most instances since everyone is behind a firewall these days. And patching a cluster is a headache.
However, many places have their security audits done by accounting firms with limited practical knowledge of Oracle, which seems to result in fairly major overestimations of risk. In addition, some companies have a requirement that security patches be implemented immediately, or in within a certain time frame, even if the risk is minimal.

So what I am saying is, yes the risk isnt that great, but for many places that doesnt really matter.

On Wed, Jun 13, 2012 at 1:55 PM, Jeff Thomas <dbmangler_at_gmail.com> wrote:

> This may seem a naive exercise - but I'm trying to determine the actual
> risk of this exploit vs the implementation risks required for our 11gR2 RAC
> environments.
> My understanding is that this exploit has been 'known' since 2008 -
> although not publicized. And Oracle rushed out the alert and fix
> in response to the publishing
> of the exploit. The exploit seems to be somewhat complex man-in-the
> middle attack that requires access inside the firewall, or your cluster's
> exposure to an
> insecure network.
>
> If this is not the case for our databases - if all clusters are
> contained within the internal network - and there is no exposure out - what
> is the real risk?
>
> We've tested in our lab - and were able to validate via the remote_listener
> from another cluster both prior to and after the fix. The 11gR2 fix is a
> little bit of a tedious
> process - involving a number of pieces, the wallets, etc. I hate to add
> complexity to our structure for the sake of appearances as opposed to a
> true necessity.
>
> Best,
> Jeff
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'


--
http://www.freelists.org/webpage/oracle-l

Received on Wed Jun 13 2012 - 14:14:38 CDT

This message: [ Message body ]
Next message: Kenneth Naim: "Sequence Skipping"
Previous message: Sandra Becker: "Re: Merge data from 10g database to 11g database"
In reply to: Jeff Thomas: "CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?"
Next in thread: Allen, Brandon: "RE: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?"
Reply: Allen, Brandon: "RE: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message