RE: Security privilege escalation

I agree w/Mladen. It needs to get fixed; but not at your expense. I think the appropriate places to "report" this are CERT and directly to Oracle -

From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of Mladen Gogala Sent: Tuesday, July 12, 2022 6:49 PM
To: oracle-l_at_freelists.org
Subject: Re: Security privilege escalation

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

On 7/12/22 12:19, Noveljic Nenad wrote:
I found a way to escalate privileges from grid to root.

Am I allowed to publish the information on my blog?

Best regards,

Nenad

Don't do it. Once upon a time, I found the way to escalate privileges to SYSDBA by using external job execution. I published the details on the Usenet. I was being reproached even 2 years after that. Even my boss at the time asked me whether I am trying to get the company's databases hacked. Basically, I've got my 5 minutes of glory and several years of "what were you thinking?". Pete Finnegan published that there was a vulnerability and I played with the software, figured out what the vulnerability was, and published the details. Today, I am sorry that I have. I wouldn't do it today.

Mladen Gogala

Database Consultant

Tel: (347) 321-1217

https://dbwhisperer.wordpress.com<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbwhisperer.wordpress.com%2F&data=05%7C01%7Cclay.jackson%40quest.com%7C84799003769a4761d0a408da6471daed%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637932737431367443%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=y0oUGvF54Qn%2BWLm0vckfxGeG7mcqqc5kRxEOcQKEpd0%3D&reserved=0>
-- http://www.freelists.org/webpage/oracle-l

--

http://www.freelists.org/webpage/oracle-l Received on Wed Jul 13 2022 - 04:15:12 CEST