Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole

Re: Oracle 9i DB Security Hole

From: Howard J. Rogers <dba_at_hjrdba.com>
Date: Fri, 19 Apr 2002 20:34:01 +1000
Message-ID: <a9oru7$hej$1@lust.ihug.co.nz> 





What I'd like to know is: is this now a customer alert?



I have no doubt that the problem was simply one of not realising the import
of the matter.



I didn't realise it myself. The *very* original post mentioned being able to
select from any table. Jonathan happened to mention that a view on a select
of any table meant DML was possible. I happened to wonder whether a view on
a data dictionary table would allow you to wreck the database.  If you
weren't primed to follow that chain of reasoning, you wouldn't have thought
too badly of a bug here and there, which all products have.



The lack of a patch for NT is unfortunate, to say the least. But otherwise,
the speed of response has been good.



But if no-one knows about it, it's no use. I'd like to see an alert... at
least that way, it's your own fault if you get bitten.



Regards


HJR




"Connor McDonald" <connor_mcdonald_at_yahoo.com> wrote in message
news:3CBF3140.2124_at_yahoo.com...


> Niall Litchfield wrote:

> >

> > "Jonathan Lewis" <jonathan_at_jlcomp.demon.co.uk> wrote in message

> > news:1019148031.14139.0.nnrp-14.9e984b29_at_news.demon.co.uk...

> > >

> > > I think that your judgement on this case may

> > > be a bit harsh.  Given that it took about 24 hours

> > > for the patch to appear from the moment the

> > > post hit the newsgroup, it clearly wasn't a case

> > > of:

> > >     "It's too difficult / dangerous / expensive to fix,

> > >     let's hope no-one else notices before 9.2"

> >

> > I'd say that Oracles reaction once they realized the problem was real

and


> > serious has been excellent. As someone who has also to support other

vendors


> > products where we often get a delay before patch availability and

oftentimes


> > several patches for the same problem. That all said I do feel that a bug

of


> > this seriousness shouldn't have slipped through QA. I have some sympathy

too


> > for the metalink analyst(s?) who missed the significance of what they

were


> > seeing. that is all to easy to do especially in a front line support

> > environment.

> >

> > --

> > Niall Litchfield

> > Oracle DBA

> > Audit Commission UK


>




> Agreed.  My only criticism is that they bug has now gone from

> 'published' to 'unpublished'.  I applaud the speed at which they

> backported the patch...I'm not so sure about the coverup..


>




> Cheers

> Connor

> --

> ==============================

> Connor McDonald


>




> http://www.oracledba.co.uk



>


> "Some days you're the pigeon, some days you're the statue..."

Received on Fri Apr 19 2002 - 05:34:01 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US