Re: cpu patch

Hi Joan

This really depends on the kind of vulnerabilities the patches fix IMHO --
which varies between each one of them. Consider this for example:

- Your hacker has access to an account in your "non-critical" DB
- There's an unpatched vulnerability that lets authenticated users gain DBA
privileges
- He gains those privileges in your "non-critical" DB.
- He can now do whatever the oracle user on that system can do
- For example, update $HOME/.ssh/authorized_keys with his own key
- He then has shell access (and if your OS is as poorly patched as your
database, he'll soon have root as well)
- It's then easy to capture other valuable information, such as password
laying around in scripts, or do many naugthy things
- And perhaps your environment has a few (or even just 1) sys password
- And he will very soon have access to the oracle user on different servers
(including your more "critical" ones).

Just some random thought, I'm sure others have other ideas ;-)


Stefan


=========================

Stefan P Knecht
CEO & Founder
s@xxxxxxxx

10046 Consulting GmbH
Schwarzackerstrasse 29
CH-8304 Wallisellen
Switzerland

Phone +41-(0)8400-10046
Cell +41 (0) 79 571 36 27
info@xxxxxxxx
http://www.10046.ch

=========================


On Fri, Sep 11, 2009 at 6:38 PM, Joan Hsieh <joan.hsieh@xxxxxxxxx> wrote:

> Hi Listers,
>
> I have one question regarding the cpu patch. We have some databases which
> are not data sensitive at all. For example, like scheduling, web. etc. I am
> wondering if cpu patch is necesscery to patch every quarterly on these
> servers. Is there any security concern that hackers can hack other important
> databases( like FM, HR) via these databases. All the databases share the
> same tnsnames.ora on the share drive.
>
> Thanks,
>
> Joan
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

Other related posts: