Re: So whats up with the 11.2 java security hole?

From: Maxim Demenko <mdemenko_at_gmail.com>
Date: Sun, 07 Feb 2010 13:24:17 +0100
Message-ID: <4B6EB0F1.4070404_at_gmail.com>

On 07.02.2010 12:19, Vladimir M. Zakharychev wrote:
> On Feb 7, 2:47 am, John Hurley<johnbhur..._at_sbcglobal.net> wrote:
>> Based on David Litchfield ...
>>
>> http://www.computerworld.com/s/article/9151318/Black_Hat_Zero_day_hac...
>

> He also suggests the workaround (revoking EXECUTE from PUBLIC
> on certain Java-related packages.) Actually, I'd check the privileges
> on these packages and revoke EXECUTE from everyone else, too. SYS is
> just enough.

>
> Regards,
> Vladimir M. Zakharychev
> N-Networks, makers of Dynamic PSP(tm)
> http://www.dynamicpsp.com
>

Taking in account the complexity of underlying code, it seems to be *not* a straightforward action - i would rather share the Gary Myers thoughts on this subject -
http://blog.sydoracle.com/2010/02/exploits-and-revoking-risks-of-revoking.html For sure only Oracle can confirm (or deny), such revoke won't break anything in provided functionality. Even Oracle would have probably difficulties to test against all usual scenarios in context of such revoke - much easier will be probably to remove vulnerability in the underlying packages. On the other side, the vulnerability is so dangerous, that i hope, Oracle's fix should follow rather sooner ( at least for those, who get lucky to login into MOS).

Best regards

Maxim Received on Sun Feb 07 2010 - 06:24:17 CST

This message: [ Message body ]
Next message: takveen_at_gmail.com: "Did anyone try this LOCAL enviroment variable? Why ORACLE_SID is not enough?"
Previous message: Vladimir M. Zakharychev: "Re: So whats up with the 11.2 java security hole?"
In reply to: Vladimir M. Zakharychev: "Re: So whats up with the 11.2 java security hole?"
Next in thread: Vladimir M. Zakharychev: "Re: So whats up with the 11.2 java security hole?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message