Re: Security privilege escalation

From: Sayan Malakshinov <xt.and.r_at_gmail.com>
Date: Wed, 13 Jul 2022 03:38:41 +0100
Message-ID: <CAOVevU6Cq=pxxCHj5J9=dzsMacJvE1XT5ZpdcVkDbDNNsGvjFQ_at_mail.gmail.com>

Hi Nenad,

In december 2013 I found 2 security vulnerabilities in Oracle and reported to then only. The most critical was fixed in the next quarterly security patch (january) and the second one in July, and my name was included into the credit statement of that quarterly security alert.

Best regards,
Sayan Malakshinov
Oracle performance tuning expert
Oracle Database Developer Choice Award winner Oracle ACE
http://orasql.org

On Wed, 13 Jul 2022, 03:15 Clay Jackson, <dmarc-noreply_at_freelists.org> wrote:

> I agree w/Mladen. It needs to get fixed; but not at your expense. I think
> the appropriate places to “report” this are CERT and directly to Oracle -
>
>
>
> *From:* oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> *On
> Behalf Of *Mladen Gogala
> *Sent:* Tuesday, July 12, 2022 6:49 PM
> *To:* oracle-l_at_freelists.org
> *Subject:* Re: Security privilege escalation
>
>
>
> *CAUTION:* This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
>
>
> On 7/12/22 12:19, Noveljic Nenad wrote:
>
> I found a way to escalate privileges from grid to root.
>
>
>
> Am I allowed to publish the information on my blog?
>
>
>
> Best regards,
>
>
>
> Nenad
>
> Don't do it. Once upon a time, I found the way to escalate privileges to
> SYSDBA by using external job execution. I published the details on the
> Usenet. I was being reproached even 2 years after that. Even my boss at the
> time asked me whether I am trying to get the company's databases hacked.
> Basically, I've got my 5 minutes of glory and several years of "what were
> you thinking?". Pete Finnegan published that there was a vulnerability and
> I played with the software, figured out what the vulnerability was, and
> published the details. Today, I am sorry that I have. I wouldn't do it
> today.
>
>
>
> Mladen Gogala
>
> Database Consultant
>
> Tel: (347) 321-1217
>
> https://dbwhisperer.wordpress.com <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbwhisperer.wordpress.com%2F&data=05%7C01%7Cclay.jackson%40quest.com%7C84799003769a4761d0a408da6471daed%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637932737431367443%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=y0oUGvF54Qn%2BWLm0vckfxGeG7mcqqc5kRxEOcQKEpd0%3D&reserved=0>
>
> -- http://www.freelists.org/webpage/oracle-l
>

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Jul 13 2022 - 04:38:41 CEST

This message: [ Message body ]
Next message: Noveljic Nenad: "RE: Security privilege escalation"
Maybe in reply to: Noveljic Nenad: "Security privilege escalation"
In reply to Clay Jackson: "RE: Security privilege escalation"
Next in thread: Noveljic Nenad: "RE: Security privilege escalation"
Reply: Noveljic Nenad: "RE: Security privilege escalation"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message