| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Security Alert
We recieved this and thought I'd pass it on to thoses who might
need to know.
On Dec 20, 2000 the eSecurityOnline.com Vulnerability Service research team identified a vulnerability affecting a technology for which you have enabled vulnerability alerts. The details of the vulnerability follow:
Oracle Enterprise Manager backup and restore credential vulnerabilities
Description:
Oracle Enterprise Manager is vulnerable to a flaw that may allow
an attacker to gain access to databases. First, a temporary file
is created that contains SYSDBA authentication information.
Second, a TCL script is created that can contain credential
information when a job is submitted to the Manager Agent that
contains credentials or recovery catalog. Third, credentials are
also revealed when the backup process occurs and can be observed
with a process listing. Note OEM 2.2 is only vulnerable to the
last issue.
Impact:
Attackers can gain sensitive information which may lead to
further access.
Affected Technologies:
Oracle Enterprise Manager 2.0.4, 2.1, 2.2
Oracle 8.1.5, 8.1.6,
8.1.7
Recommended Fix:
Upgrade to the latest version of OEM available from the
vendor:
Version 2.2:
EM_2.2_1374495
Version
2.1:
EM_2.1_1375503
Version
2.0.4:
EM_2.0.4_1375503
Vendor
advisory:
http://otn.oracle.com/deploy/security/pdf/oem_alert.pdf
To unsubscribe to our free alert service; please click on the
following
link.
http://www.eSecurityonline.com/u.asp?i=579719&e=ron_woerner@csgsystems.com
About eSecurityOnline.com:
ESecurityOnline.com is dedicated to providing proactive security services via the internet, in an Application Service Provider model.
Online Services- Our suite of online services has been engineered around the proactive management on risks associated with vulnerabilities, system configurations and viruses-the leading causes of unauthorized users gaining access to systems and networks via the internet.
Managed Services- Our portfolio of managed services lets us focus on your core business and minimize IT costs by outsourcing vital security functions to eSecurityOnline.com. In turn, our team of experts will do what we know best: protect your assets and reduce technology risk.
To learn more about the services provided by eSecurityOnline.com, please visit our web site or call us at 1-877-eSecurity.
Copyright 2000 eSecurityOnline.com. All rights reserved.
No part of the content or information included in this alert may be reproduced, re-transmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, re-keying, or using any information storage and retrieval system, without the prior written permission of eSecurityOnline.com. The content or information included in this alert is proprietary and confidential to eSecurityOnline.com ('Confidential Information'). By accessing this information, you agree to keep Confidential Information confidential and to not use Confidential Information for any purpose not authorized by your written agreement with eSecurityOnline.com.
This alert is maintained by eSecurityOnline.com for the benefit of subscribers to its On-line Vulnerability Service. Your access to and use of the information contained in this alert, are subject to the terms and conditions of your written subscription agreement with eSecurityOnline.com. Nothing in this alert should be construed as granting or conferring any license to use the Received on Thu Dec 21 2000 - 09:03:57 CST
 |
 |