Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: List of security issues/fixes for Oracle 9i R1 & R2

Re: List of security issues/fixes for Oracle 9i R1 & R2

From: Pete Finnigan <pete_at_peterfinnigan.demon.co.uk>
Date: Tue, 28 Jan 2003 22:06:25 +0000
Message-ID: <l0Mhy0Ah7vN+Ew$l@peterfinnigan.demon.co.uk> 





Hi Joe



All of the security alerts that Oracle have acknowledged and released
patches or workarounds for have advisories posted to http://otn.oracle.c
om/deploy/security/alerts.htm. There is a subscriber list also at the
same site. You need a free user account creating. 



I have just written a book for the SANS Institute with the help of some
of the guys who contribute to this list. It is called "Oracle security
step-by-step (A survival guide to Oracle security)". Its a list of known
configuration issues and default installation issues and for each issue
there are checks to perform and actions to take. see
http://store.sans.org for details.



I have never seen any good comprehensive "check list" type documents on
the net for Oracle security apart from some of the examples below.



I also wrote a simple "scanner" over one year ago for
www.securityfocus.com that checks for some basic configuration issues.
see http://online.securityfocus.com/online/1522. There is a free script
with it from my previous companies web site.



my website has a few papers about oracle security listed on it
http://www.petefinnigan.com and i am currently collating a list of all
the oracle security articles and papers i know of, these links will be
added during the next week. 



Check out a search on google for "oracle+security" and see the sample
chapter from the O'Rielly book and also see the papers listed on
www.sans.org in the reading room at http://www.sans.org/rr/appsec/,
there are a few about Oracle security in particular. David Litchfield
has a good paper on www.ngssoftware.com about hackproofing the
application server. Aaron Newman has a couple of good papers on his site
at www.appsecinc.com.



I hope this lot helps a bit.



kind regards

-- 
Pete Finnigan

Email : pete_at_peterfinnigan.demon.co.uk
Email : pete_at_petefinnigan.com

Web site: http://www.petefinnigan.com

Independent consultant specialising in Oracle security. Pete Finnigan is the 
author of the recently published book about Oracle security from the SANS 
Institute "Oracle security Step-by-step (A survival guide for Oracle security)" 
- see http://store.sans.org for details and pre-order special prices.

Some recently published articles include:

http://online.securityfocus.com/infocus/1644 - "SQL injection and Oracle - part 
one"

http://online.securityfocus.com/infocus/1646 - "SQL injection and Oracle - part 
two"


Received on Tue Jan 28 2003 - 16:06:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US