Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole

Re: Oracle 9i DB Security Hole

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Thu, 18 Apr 2002 17:36:48 +0100
Message-ID: <1019148031.14139.0.nnrp-14.9e984b29@news.demon.co.uk> 






I think that your judgement on this case may
be a bit harsh.  Given that it took about 24 hours
for the patch to appear from the moment the
post hit the newsgroup, it clearly wasn't a case
of:


    "It's too difficult / dangerous / expensive to fix,
    let's hope no-one else notices before 9.2"



I think this was just a case of a front-end Metalink
analyst not realising the significance of what he
was seeing, and the developer who picked it up
fixing it being focused on code-lines, not on the
real world and customers.



I'd bet on it being a junior employee failing to
follow procedures or, as you put it


    "the an institutional discipline that makes it
    possible to deal with problems like this in a
    timely, straightforward and plain-spoken manner"



I don't think this was anything to do with a conspiracy
of silence.




--
Jonathan Lewis
http://www.jlcomp.demon.co.uk

Author of:
Practical Oracle 8i: Building Efficient Databases

Next Seminar - Australia - July/August
http://www.jlcomp.demon.co.uk/seminar.html

Host to The Co-Operative Oracle Users' FAQ
http://www.jlcomp.demon.co.uk/faq/ind_faq.html



m. fowler wrote in message ...


>The dialogue on this Usenet group is pathetic, to put it mildly - I

>quit reading the Oracle Usenet groups years ago but was directed back

>by the article on theinquirer.net( other than there and in a few

>discussion groups there has been not a peep about all this ).  Anyone

>with half a brain, upon reading the original post on Mon., and with a

>few minutes of testing would have grasped the awful and awesome truth

>- and at that point would have shut down their 9.0.1 db.  Oracle has

>released a patch using the same bug # that was logged back in Dec. (

>thus announcing the problem to the world ).

>    You may know( on second thought you probably don't ) that 9.0.1

>installs with username: dbsnmp / password: dbsnmp - account unlocked -

>this un has connect role by def., which includes create view - thus

>the global R/W access.

>    I'm rather sorry to see what happened here - I've suffered for

>years with Oracle, turning me into one of their many critics but also

>one of their biggest fans( especially considering the competition ).

>I perceive that there are many competing camps within any large corp.

>- they don't speak as one monolithic entity and what they do say is

>skewed from the top and amongst their willing water-boys, the media.

>So there needs to be an institutional discipline that makes it

>possible to deal with problems like this in a timely, straightforward

>and plain-spoken manner.  Was that the case here - you be the judge.



Received on Thu Apr 18 2002 - 11:36:48 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US