Re: CVE-2012-1675 (Oracle 11gR2 RAC) - Actual Risk?

  • From: <david@xxxxxxxxxxxxxxxxxxxx>
  • To: <erenb@xxxxxxxxxxxxxxx>, <Brandon.Allen@xxxxxxxxxxx>, <andrew.kerber@xxxxxxxxx>, <dbmangler@xxxxxxxxx>, <oracle-l@xxxxxxxxxxxxx>
  • Date: Thu, 14 Jun 2012 14:50:51 +0100

Hey all,

> The risk for an external threat is pretty much minimized through a set of 
> security layers such as the Firewall, anti-virus, etc.

Without seeing a specific environment I'd tend to disagree; better to be 
more cautious than not. If the database in question is connected to a web or 
application server then there's the potential for SQL injection; there's 
potential for exploitation of flaws in the app environment itself (struts, 
anyone? OAS?); and host of other issues that can relegate the firewall to an 
expensive box with pretty flashing lights. In this day and age, anyone that 
thinks a firewall offers sufficient protection should open a newspaper and 
read about all the database security breaches taking place. Do you really 
think those orgs weren't using firewalls? As far as WAFs are concerned - 
they can be bypassed by a moderate to skilled attacker. I know it's a pain 
but the best strategy really is keeping your patches up to date and reducing 
your attack surface.


Other related posts: