Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole

Re: Oracle 9i DB Security Hole

From: Jonathan Lewis <jonathan_at_jlcomp.demon.co.uk>
Date: Fri, 19 Apr 2002 14:07:17 +0100
Message-ID: <1019221583.21218.0.nnrp-01.9e984b29@news.demon.co.uk> 






Funnily enough, the DBF 2002 Forum in Sydney
includes a session


    "How to test"


by that  <quote> respected Oracle consultant
Jonathan Lewis <end quote>.



It is JUST (barely) possible, that if I had got
around to testing ANSI joins I would have spotted
an anomaly because I test every new feature
whilst running a 10046 trace and three different
internal snapshots after flushing the shared_pool
- - IF I think there may be a vague chance of a
significant performance issue.



But I don't think I would have bothered with that sort
of extreme with ANSI joins;  I 'd have just checked
that the access paths were unsurprising and cost
about the same as the syntactically equivalent Oracle
versions.




Who, after all, is going to say things like:


    Does an inline view result in access violation
    Does explicit partition naming result in access violation
    Does a cross join result in access violation
    Does subquery unnesting result in access violation
    Does flashback query result in access violation


        (Hm! I hadn't thought of that one before - I wonder ..)
    Does common subexpression elimination result in access violation



Of course, it is still worth asking how a security testing organisation
can know much more than the average specialist about Oracle and
what is possible from day one.  How do you test a brand new product
when the designers and coders don't even know what all the features
can do when they are put together.



--
Jonathan Lewis
http://www.jlcomp.demon.co.uk

Author of:
Practical Oracle 8i: Building Efficient Databases

Next Seminar - Australia - July/August
http://www.jlcomp.demon.co.uk/seminar.html

Host to The Co-Operative Oracle Users' FAQ
http://www.jlcomp.demon.co.uk/faq/ind_faq.html



Nuno Souto wrote in message
<3cbffc9e$0$15477$afc38c87_at_news.optusnet.com.au>...


>

>What gets me is: Oracle obviously paid a lot of money to some companies

>to get 9i certified for security compliance.  How come such a gaping hole

>sneaked through?  What sort of testing for security was really done?  One

>wonders if it is worth spending the $$$ on these "certifications"...

>



Received on Fri Apr 19 2002 - 08:07:17 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US