Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle 9i DB Security Hole

Re: Oracle 9i DB Security Hole

From: Mike Jay <mikejay_at_mitre.org>
Date: Tue, 21 May 2002 16:03:43 -0400
Message-ID: <3CEAA81F.BC0FA309@mitre.org> 





So a CSI is required to KNOW of such a product defect?



http://otn.oracle.com/deploy/security/alerts.htm



It's likely that those buying 9i would have MetaLink, but still...



http://www.kb.cert.org/vuls/id/180147



Please understand, I am VERY grateful for the posts on this group!



OTN did not return an search results for outer or left join, or is there some dedicated search area on OTN that I missed by being daft?



Devin Conner wrote:


> 

> "Howard J. Rogers" <dba_at_hjrdba.com> wrote in message news:<a9oru7$hej$1_at_lust.ihug.co.nz>...

> > What I'd like to know is: is this now a customer alert?

> >

> > I have no doubt that the problem was simply one of not realising the import

> > of the matter.

> >

> > I didn't realise it myself. The *very* original post mentioned being able to

> > select from any table. Jonathan happened to mention that a view on a select

> > of any table meant DML was possible. I happened to wonder whether a view on

> > a data dictionary table would allow you to wreck the database.  If you

> > weren't primed to follow that chain of reasoning, you wouldn't have thought

> > too badly of a bug here and there, which all products have.

> >

> > The lack of a patch for NT is unfortunate, to say the least. But otherwise,

> > the speed of response has been good.

> >

> > But if no-one knows about it, it's no use. I'd like to see an alert... at

> > least that way, it's your own fault if you get bitten.

> >

> > Regards

> > HJR


> 

> Update:  Oracle has now emailed an alert from Metalink (the first that

> I've seen) about this problem.  Here is the text of the message

> (without Metalink access it contains no confidential info...)

> 

> ORACLE METALINK NEWS & NOTES


> 

> Oracle Security Product Management has released new security alerts

> today.

> 

> Please note that you must log into MetaLink at

> http://metalink.oracle.com to review these documents. Use MetaLin's'

> advanced search option to retrieve the documents by identification

> number.

> 

> ALERT NUMBER 1: UNAUTHORIZED ACCESS VULNERABILITY IN THE ORACLE


> E-BUSINESS SUITE.


> Document Identification Number 185073.1

> 

> ALERT NUMBER 2: USER PRIVILEGES VULNERABILITY IN ORACLE9i DATABASE

> SERVER


> Document Identification Number 185074.1

> 

> Thank you for using MetaLink.

> Oracle Support Services

> 

> Hope this helps.

Received on Tue May 21 2002 - 15:03:43 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US