Re: when does Oracle 8i go out of service?

Sybrand Bakker <gooiditweg_at_nospam.demon.nl> wrote in message news:<hfk06v0ng48s526ebmg1597epgrt6tpvbf_at_4ax.com>...
> Just a question:
> We all know 7.3.4 reached ECS. As far as I know it still didn't reach
> EMS.
> *Everyone* (including you) qualifies 7.3.4 as *desupported*, and *ALL*
> reference on Oracle sites to 7.3.4 have been *removed*
> I also am quite sure, if you would call OTS, they are just dropping
> the phone on you, anyway that was the customary policy in the
> Netherlands until recently.
> Also: if you don't have an EAS or EMS contract Oracle will simply
> leave you alone. I have never seen a site, still using 7.3.4 or 8.0,
> with such a contract!!!
>
> So: how can you state Oracle still supports 8.1.7 after December 31?
> If they find a bug in 9i, which has impact on 8.1.7, they definitely
> won't backport it to 8i.
> So : as far as I am concerned: because ECS stops, one should consider
> 8.1.7 as *desupported* from December 31, and Oracle will delete all
> references to this version from their website.
> Either statement is true, and IMO, your statement is incorrect.
>
> Regards
>
> Sybrand Bakker, Senior Oracle DBA

Sybrand,

I would have to completely agree.
One could go to

http://otn.oracle.com/deploy/security/alerts.htm

and examine an alert, say #51, of a buffer overflow.

Can I obtain a patch for Oracle 7.3.4? No. Can I obtain a patch for Oracle 8.0.6? Apparently so, much to my surprise, although I don't see it as listed for any platform on Metalink. Must just be available by request.

In other cases, where a bug was not fixed for an Oracle 7.3.4 listener, the work-around was to install an Oracle 8i or 9i home on the server and use the newer version of the TNS Listener, for which a patch had been produced. When the bug is in the oracle server process, this work-around is not an option - unless the migration/upgrade is performed.

Would one want to run in production a product for which an exploit that has been published, such that anyone that can connect to the instance with a bogus user account can crash the instance? If you have a network configuration such that only the app servers can connect to the database and no users can reach the server - enforced by routers, then I would agree that you need not be concerned. It wouldn't hurt to ask who is checking the logs on the app servers, though - and if they aren't loading psp from the app servers, you might want to remove a few binaries ... ;)

Yes, I'll admit that this description is the most exteme case, but it is true.
One would only have to check some of the security sites or mailing lists to find it described (I see no reason to post it here).

When I first heard of the exploit that Friday morning, I discussed with a client the possibility of just shutting down the database over the weekend while we researched this further, as the oracle process was not vulnerable in this case if the database was closed. :)

Agreed, one can obtain info from the server log as to what machine, osuser, program generated the crash, so it would be possible to trace where the attack was initiated. Chances are, that won't be sufficient information to find the guilty party who hit <enter>.

This is why is it important, to stay current, as the patchset is a one-off, and the base patchset must first be applied. If you're already on 8.1.7.4.x, the one-off patchset (e.g. 8.1.7.4.8) is likely a quickie - copy the files, reset compatible and restart the instance, with no scripts required - although the readme.htm will tell you if that is in fact the case or not.

If you're back on 8.1.7.1.5 (which was required to fix the multiple TNS Listener vulnerabilities long ago) then patching to 8.1.7.4.1 is much more involved.

I have to admit, every time I see the lag for patches to be ported over to win32, like for the current buffer overflow mentioned above, it tips the scales more toward wiping the boot drive of W2K boxes and installing a supported Linux distribution. The 8.1.7.4.x one-off patchset for Linux 32bit Intel was available on 17-DEC-2002, according to the readme. Here it is 2 months later, and no patchset for Win32. (this comment is likely to be akin to dropping silver nitrate into supersaturated moist air).

I wish that I was dba-ing systems on a tier 1 platform. Maybe when we move to 9.2.

Paul Received on Sat Mar 01 2003 - 18:00:21 CST