Re: List of security issues/fixes for Oracle 9i R1 & R2

Thanks to all who provided useful responses. Not surprisingly Pete Finnigan and Mark Townsend were, as always, helpful without prejudice. I'm just surprised HJR didn't jump in. :-)

FYI, 70% of our customers are Oracle users (thankfully, but the SQL list is growing pretty fast) and this little exercise request from our boss is not because our customers have Oracle DBs directly connected to the internet (though I'll bet $1 someone does). It's mostly a refresher for us and in preparation for potential inquiries. Some customers are kinda weird that way. They see a honduh (aka honda) breakdown and decide they want to inspect their porsche. We've got stuff that we already track and a short list from CERT. Just wanted to check with you guys to see if you've seen anything in your daily work. The Oracle engineers and the various security companies are great but nobody finds more "undocumented features" than people who actually use the product with real users, not clinical test environments.

Anyway, thanks again.

joe.

Pete Finnigan <pete_at_peterfinnigan.demon.co.uk> wrote in message news:<l0Mhy0Ah7vN+Ew$l_at_peterfinnigan.demon.co.uk>...
> Hi Joe
>
> All of the security alerts that Oracle have acknowledged and released
> patches or workarounds for have advisories posted to http://otn.oracle.c
> om/deploy/security/alerts.htm. There is a subscriber list also at the
> same site. You need a free user account creating.
>
> I have just written a book for the SANS Institute with the help of some
> of the guys who contribute to this list. It is called "Oracle security
> step-by-step (A survival guide to Oracle security)". Its a list of known
> configuration issues and default installation issues and for each issue
> there are checks to perform and actions to take. see
> http://store.sans.org for details.
>
> I have never seen any good comprehensive "check list" type documents on
> the net for Oracle security apart from some of the examples below.
>
> I also wrote a simple "scanner" over one year ago for
> www.securityfocus.com that checks for some basic configuration issues.
> see http://online.securityfocus.com/online/1522. There is a free script
> with it from my previous companies web site.
>
> my website has a few papers about oracle security listed on it
> http://www.petefinnigan.com and i am currently collating a list of all
> the oracle security articles and papers i know of, these links will be
> added during the next week.
>
> Check out a search on google for "oracle+security" and see the sample
> chapter from the O'Rielly book and also see the papers listed on
> www.sans.org in the reading room at http://www.sans.org/rr/appsec/,
> there are a few about Oracle security in particular. David Litchfield
> has a good paper on www.ngssoftware.com about hackproofing the
> application server. Aaron Newman has a couple of good papers on his site
> at www.appsecinc.com.
>
> I hope this lot helps a bit.
>
> kind regards
> --
> Pete Finnigan
>
> Email : pete_at_peterfinnigan.demon.co.uk
> Email : pete_at_petefinnigan.com
>
> Web site: http://www.petefinnigan.com
>
> Independent consultant specialising in Oracle security. Pete Finnigan is the
> author of the recently published book about Oracle security from the SANS
> Institute "Oracle security Step-by-step (A survival guide for Oracle security)"
> - see http://store.sans.org for details and pre-order special prices.
>
> Some recently published articles include:
>
> http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part
> one"
>
> http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part
> two"
Received on Wed Jan 29 2003 - 14:28:02 CST