Re: So whats up with the 11.2 java security hole?
Date: Sun, 07 Feb 2010 13:24:17 +0100
On 07.02.2010 12:19, Vladimir M. Zakharychev wrote:
> On Feb 7, 2:47 am, John Hurley<johnbhur..._at_sbcglobal.net> wrote:
>> Based on David Litchfield ...
> He also suggests the workaround (revoking EXECUTE from PUBLIC
> on certain Java-related packages.) Actually, I'd check the privileges
> on these packages and revoke EXECUTE from everyone else, too. SYS is
> just enough.
> Vladimir M. Zakharychev
> N-Networks, makers of Dynamic PSP(tm)
Taking in account the complexity of underlying code, it seems to be
*not* a straightforward action - i would rather share the Gary Myers
thoughts on this subject -
http://blog.sydoracle.com/2010/02/exploits-and-revoking-risks-of-revoking.html For sure only Oracle can confirm (or deny), such revoke won't break anything in provided functionality. Even Oracle would have probably difficulties to test against all usual scenarios in context of such revoke - much easier will be probably to remove vulnerability in the underlying packages. On the other side, the vulnerability is so dangerous, that i hope, Oracle's fix should follow rather sooner ( at least for those, who get lucky to login into MOS).
Maxim Received on Sun Feb 07 2010 - 06:24:17 CST