-
Database Security - My boss will not listen
I have been trying to get my boss to apply a vendor patch to our database, but he says it may crash the server. I showed him this vulnerability
http://www.pgp.com/research/covert/a...nerablesystems
but he says it is not a real threat. Is there anyone here that knows how to execute this exploit. Or does any one have the actual source code? I want to show him that we are vulnerable
Thanks for any help offered,
Kenneth
-
Banned
The TNS Listener daemon runs with "LocalSystem" privileges under Windows NT/2000, and with the privileges of the 'oracle' user under Unix. Exploitation of this vulnerability will lead to the remote attacker obtaining these respective privileges.
Basically this is stating one can make requests through the Oracle Listener. With local system privileges in 2k, this could be dangerous as now your Oracle client has a way in to your server. You basically want the oracle client to have DB access only and have oracle maintain that client's security.
Well, if your running 2k, that's not a good thing. For UNIX, configure the 'oracle' user to not have system access.
Now for the situation with your boss. If he thinks the patch will crash the system, ask him what will happen if a client removes the oracle listener through the above vulnerability. Plus you have an Oracle liscence and the patch should be supported by Oracle, so applying should be just DB maintenance. Secondly, you have brought this issue to his attention, if he chooses to ignore and you get hacked (it only takes one, people!), tell him to fix it.
Network and DB security are major issues. If one chooses to ignore and bad things happen, you look pretty stupid.
-
Member
As I have seen before in my dealings with some "network admins" they seem to enjoy complacency in an ever changing field!
-
Banned
Easier to do nothing, than to do your job. Stop being successful, you're making us look bad....
-
I still can not seem to find the actual exploit code. I want to be able to test this on my db. I want to make sure it is a real threat before I change something.
Thanks for any help offered.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules
|
New Security Features Planned for Firefox 4
Another Laptop Theft Exposes 21K Patients' Data
Oracle Hits to Road to Pitch Data Center Plans
Microsoft Preps Array of Windows Patches
Microsoft Nears IE9 Beta With Final Preview
Simplified Analytics Improve CRM, BI Tools
Android Passes RIM as Top Mobile OS in 2Q
VMware Updates Hyperic System Management
File Monitoring Key to Enterprise Security
LinkedIn Snaps Up SaaS Player mSpoke
|
Reply With Quote
Bookmarks