Re: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?
- From: <david@xxxxxxxxxxxxxxxxxxxx>
- To: <erenb@xxxxxxxxxxxxxxx>, <Brandon.Allen@xxxxxxxxxxx>, <andrew.kerber@xxxxxxxxx>, <dbmangler@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 14 Jun 2012 14:50:51 +0100
Hey all,
> The risk for an external threat is pretty much minimized through a set of
> security layers such as the Firewall, anti-virus, etc.
Without seeing a specific environment I'd tend to disagree; better to be
more cautious than not. If the database in question is connected to a web or
application server then there's the potential for SQL injection; there's
potential for exploitation of flaws in the app environment itself (struts,
anyone? OAS?); and host of other issues that can relegate the firewall to an
expensive box with pretty flashing lights. In this day and age, anyone that
thinks a firewall offers sufficient protection should open a newspaper and
read about all the database security breaches taking place. Do you really
think those orgs weren't using firewalls? As far as WAFs are concerned -
they can be bypassed by a moderate to skilled attacker. I know it's a pain
but the best strategy really is keeping your patches up to date and reducing
your attack surface.
Cheers,
David
--
//www.freelists.org/webpage/oracle-l
Other related posts:
