Re: Security privilege escalation
Date: Wed, 13 Jul 2022 02:20:54 -0400
Message-ID: <CAMHX9JKKqG6TZDYCGgUWVcE9bgGCGu0F6a_Bi7Sk9N8vP=AAmA_at_mail.gmail.com>
Yep, send it to secalert_us_at_oracle.com and don't post the exploit before Oracle has released relevant patches (plus some extra time) - or don't post all the details publicly at all. The problem is that many customers don't patch that quickly anyway and do you want them to be (even more) vulnerable than they already are due to this bug.
Many years ago I did publish an Oracle zero day myself (from DBA to SYSDBA + OS access as oracle user), so my reasoning was that it's not *that *crazy, but once I got a little older and more responsible (?) I took that post down because it was still about a zero day (and it wasn't right to publish it as a zero day).
I have since reported more security bugs to the above-mentioned Oracle email address and not made any other noise about it, but later you will get your name acknowledged in Oracle's future critical patch update advisory notes, in the "Credit Statement" sections :-)
-- Tanel Poder https://learn.tanelpoder.com On Wed, Jul 13, 2022 at 1:49 AM Noveljic Nenad <nenad.noveljic_at_vontobel.com> wrote:Received on Wed Jul 13 2022 - 08:20:54 CEST
> Thank you for your suggestions. I’ve got the message - I’m going to inform
> CERT and Oracle today and then keep quiet about it.
>
>
>
> With regard to mitigation, I’m thinking of disabling the oracle-tfa
> (Oracle Trace File Analyzer) service that was installed with the
> Clusterware and then setting up a stand-alone OSWatcher instead.
>
>
>
> Are there any significant disadvantages of shutting down the TFA? I’ve
> never logged into the java server application started by this service.
>
>
>
> Best regards,
>
>
>
> Nenad
>
>
>
-- http://www.freelists.org/webpage/oracle-l