Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Client side vulnerabilities (Buffer Overflow)

Re: Client side vulnerabilities (Buffer Overflow)

From: Sybrand Bakker <postbus_at_sybrandb.demon.nl>
Date: Fri, 24 Jun 2005 19:34:31 +0200
Message-ID: <2tgob197e9l6rah3c2t19bush2tt2vjsuk@4ax.com> 





On 24 Jun 2005 05:04:02 -0700, "David ROBERT" <castlebbs_at_gmail.com>
wrote:



>Hello,

>

>I'm interested in Oracle security.

>I've seen the Oracle alerts on the oracle website. A lot of the highly

>critical advisories are about database server itself or the underlying

>operating system command execution.

>

>I'm actually looking about securing an application where :

>- I cannot trust in the Oracle Database server (the listener could be

>replaced by a malicious program).

>- The clients applications needs to be secure. The clients connects the

>database using SQL*Net. Clients are binaries linked : libwtc8.sl,

>libnjni8.sl

>libwtc8.sl,libclntsh.sl.8.0

>

>I haven't seen in the oracle risk matrix the case where a malicious

>listener could exploit a buffer overflow in oracle client libraries.

>

>Do you know about this risk ? Has Oracle released some advisories about

>that ?




Obviously not. As you are probably not aware, the listener is a broker
only. As soon as signals the database to fork a process, it's tasks
with respect to the connecting client are over.



Your first assertion implies you aren't protecting the server itself.



I would suggest you spend your energy elsewhere.



--
Sybrand Bakker, Senior Oracle DBA


Received on Fri Jun 24 2005 - 12:34:31 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US