RE: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?

  • From: Eren Bayazitoglu <erenb@xxxxxxxxxxxxxxx>
  • To: "Brandon.Allen@xxxxxxxxxxx" <Brandon.Allen@xxxxxxxxxxx>, "andrew.kerber@xxxxxxxxx" <andrew.kerber@xxxxxxxxx>, "dbmangler@xxxxxxxxx" <dbmangler@xxxxxxxxx>, "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
  • Date: Thu, 14 Jun 2012 10:14:04 -0230

Good point Brendon. The risk for an external threat is pretty much minimized 
through a set of security layers such as the Firewall, anti-virus, etc. 
However, the risk still exists internally. Trusting an insider (such as 
non-production user for testing, development, etc.) is important to establish, 
but it doesn't reduce the risk.

The question is, does the insider need access to the sensitive information? 
Testing and development teams can still carry out their duties with masked data 
(realistic, but obfuscated, so it's no longer sensitive).

Major analyst Gartner evaluated masking vendors and came up with a Top 5, might 
want to check that out.

Eren Bayaz
Data Security Consultant 

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Allen, Brandon
Sent: Wednesday, June 13, 2012 5:14 PM
To: andrew.kerber@xxxxxxxxx; dbmangler@xxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?

I'm not a security expert, but it seems to me there's a significant chance that 
an attacker may be behind your firewall as well - either authorized (e.g. a 
malicious employee, consultant, customer, or other trusted party) or 
unauthorized (a hacker).


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Andrew Kerber

I am in agreement that the actual risk is fairly limited for most instances 
since everyone is behind a firewall these days


Privileged/Confidential Information may be contained in this message or 
attachments hereto. Please advise immediately if you or your employer do not 
consent to Internet email for messages of this kind. Opinions, conclusions and 
other information in this message that do not relate to the official business 
of this company shall be understood as neither given nor endorsed by it.


Other related posts: