Re: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?

From: <david_at_databasesecurity.com>
Date: Thu, 14 Jun 2012 14:50:51 +0100
Message-ID: <B97B66A7977D435790EA1298BA2C1594_at_NAUTILUS>

Hey all,

> The risk for an external threat is pretty much minimized through a set of
> security layers such as the Firewall, anti-virus, etc.

Without seeing a specific environment I'd tend to disagree; better to be more cautious than not. If the database in question is connected to a web or application server then there's the potential for SQL injection; there's potential for exploitation of flaws in the app environment itself (struts, anyone? OAS?); and host of other issues that can relegate the firewall to an expensive box with pretty flashing lights. In this day and age, anyone that thinks a firewall offers sufficient protection should open a newspaper and read about all the database security breaches taking place. Do you really think those orgs weren't using firewalls? As far as WAFs are concerned - they can be bypassed by a moderate to skilled attacker. I know it's a pain but the best strategy really is keeping your patches up to date and reducing your attack surface.
Cheers,
David

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jun 14 2012 - 08:50:51 CDT

This message: [ Message body ]
Next message: wblanchard_at_oshkoshcorp.com: "Re: cron backups on RAC"
Previous message: Hans Forbrich: "Re: Virtualbox images for EM 12c, DataGuard, RAC, GoldenGate / run multiple simultaneous OL5 images on Win7?"
In reply to: Eren Bayazitoglu: "RE: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?"
Next in thread: Pete Finnigan: "Re: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?"
Reply: Pete Finnigan: "Re: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message