Re: SCN wrapping
From: joel garry <joel-garry_at_home.com>
Date: Thu, 19 Jan 2012 10:26:11 -0800 (PST)
Message-ID: <a7790d17-eb38-4968-a3b7-df902a04ad53_at_rk3g2000pbb.googlegroups.com>
On Jan 19, 9:38 am, Mladen Gogala <gogala.REMOVETHISmla..._at_google.com> wrote:
> It appears that Oracle 11G has a rather serious bug: it wraps SCN numbers
> around, when doing begin/end backup type of backup:
>
> http://tinyurl.com/6wbker6
>
> One of the quotes in the article reminded me of the CIO who has saved 9.5
> million dollars on monitoring by switching to OEM. He was talking about
> thousands of databases. The interesting passage from the article (page 5)
> is here:
> "Again, only very large customers with many interconnected Oracle
> databases would be likely to run a significant risk of being affected by
> this problem. But the larger the Oracle environment, the longer this
> restoration would take. Typically, large organizations have the least
> tolerance for downtime."
>
> That's precisely the description of the company run by the guy who has
> saved millions. This could be funny. Of course, my confidence into Oracle
> is also a bit shaken, bugs on the level this fundamental are not supposed
> to happen. I should be able to trust my DB vendor with the same degree of
> trust as my stock broker. I know that my stock broker is not going to
> securitize worthless "liar loans", get the deceiving AAA rating for so
> created security, by the auditing agency owned by the same bank as the
> brokerage, sell that security to me and bet against the security they sold
> me with an insurance company. I must have the same level of confidence
> with my DB vendor, too.
>
> --http://mgogala.We were unable to post your message.com
Date: Thu, 19 Jan 2012 10:26:11 -0800 (PST)
Message-ID: <a7790d17-eb38-4968-a3b7-df902a04ad53_at_rk3g2000pbb.googlegroups.com>
On Jan 19, 9:38 am, Mladen Gogala <gogala.REMOVETHISmla..._at_google.com> wrote:
> It appears that Oracle 11G has a rather serious bug: it wraps SCN numbers
> around, when doing begin/end backup type of backup:
>
> http://tinyurl.com/6wbker6
>
> One of the quotes in the article reminded me of the CIO who has saved 9.5
> million dollars on monitoring by switching to OEM. He was talking about
> thousands of databases. The interesting passage from the article (page 5)
> is here:
> "Again, only very large customers with many interconnected Oracle
> databases would be likely to run a significant risk of being affected by
> this problem. But the larger the Oracle environment, the longer this
> restoration would take. Typically, large organizations have the least
> tolerance for downtime."
>
> That's precisely the description of the company run by the guy who has
> saved millions. This could be funny. Of course, my confidence into Oracle
> is also a bit shaken, bugs on the level this fundamental are not supposed
> to happen. I should be able to trust my DB vendor with the same degree of
> trust as my stock broker. I know that my stock broker is not going to
> securitize worthless "liar loans", get the deceiving AAA rating for so
> created security, by the auditing agency owned by the same bank as the
> brokerage, sell that security to me and bet against the security they sold
> me with an insurance company. I must have the same level of confidence
> with my DB vendor, too.
>
> --http://mgogala.We were unable to post your message.com
Well, the attack surface can be large even for a small company: http://www.gokhanatil.com/2012/01/fundamental-oracle-flaw-revealed-lets.html
So, can script kiddies poison dns to point at their own VM with a compromised scn in it and a user already linked to? How about if they can steal a backup VM, or a plain old backup of an XE used in production? Does OCM world-publish enough info to know what to attack? Are employees ever disaffected?
Questions, questions, questions.
jg
-- _at_home.com is bogus. "What does it say about the state of computer science education that one must make a case for teaching how to think clearly?" http://research.microsoft.com/en-us/um/people/lamport/pubs/pubs.html#teaching-concurrencyReceived on Thu Jan 19 2012 - 12:26:11 CST