CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?
From: Jeff Thomas <dbmangler_at_gmail.com>
Date: Wed, 13 Jun 2012 14:55:53 -0400
Message-ID: <CAAVEUKFFGM0HGdOivLFNF5vpu0MT0Vq-daUNMKPrXqysJMif7A_at_mail.gmail.com>
This may seem a naive exercise - but I'm trying to determine the actual risk of this exploit vs the implementation risks required for our 11gR2 RAC environments.
My understanding is that this exploit has been 'known' since 2008 - although not publicized. And Oracle rushed out the alert and fix in response to the publishing
of the exploit. The exploit seems to be somewhat complex man-in-the middle attack that requires access inside the firewall, or your cluster's exposure to an
insecure network.
Date: Wed, 13 Jun 2012 14:55:53 -0400
Message-ID: <CAAVEUKFFGM0HGdOivLFNF5vpu0MT0Vq-daUNMKPrXqysJMif7A_at_mail.gmail.com>
This may seem a naive exercise - but I'm trying to determine the actual risk of this exploit vs the implementation risks required for our 11gR2 RAC environments.
My understanding is that this exploit has been 'known' since 2008 - although not publicized. And Oracle rushed out the alert and fix in response to the publishing
of the exploit. The exploit seems to be somewhat complex man-in-the middle attack that requires access inside the firewall, or your cluster's exposure to an
insecure network.
If this is not the case for our databases - if all clusters are contained within the internal network - and there is no exposure out - what is the real risk?
We've tested in our lab - and were able to validate via the remote_listener
from another cluster both prior to and after the fix. The 11gR2 fix is a
little bit of a tedious
process - involving a number of pieces, the wallets, etc. I hate to add
complexity to our structure for the sake of appearances as opposed to a
true necessity.
Best,
Jeff
-- http://www.freelists.org/webpage/oracle-lReceived on Wed Jun 13 2012 - 13:55:53 CDT