Thank you for your suggestions. I’ve got the message - I’m going to inform CERT
and Oracle today and then keep quiet about it.
With regard to mitigation, I’m thinking of disabling the oracle-tfa (Oracle
Trace File Analyzer) service that was installed with the Clusterware and then
setting up a stand-alone OSWatcher instead.
Are there any significant disadvantages of shutting down the TFA? I’ve never
logged into the java server application started by this service.
Best regards,
Nenad
From: oracle-l-bounce@xxxxxxxxxxxxx <oracle-l-bounce@xxxxxxxxxxxxx> On Behalf
Of Sayan Malakshinov
Sent: Mittwoch, 13. Juli 2022 04:39
To: Clay Jackson (cjackson) <Clay.Jackson@xxxxxxxxx>
Cc: Mladen Gogala <gogala.mladen@xxxxxxxxx>; ORACLE-L <oracle-l@xxxxxxxxxxxxx>
Subject: Re: Security privilege escalation
*** E-Mail from outside Vontobel: Do not click on links or open attachments
unless you know the content is safe. ***
Hi Nenad,
In december 2013 I found 2 security vulnerabilities in Oracle and reported to
then only. The most critical was fixed in the next quarterly security patch
(january) and the second one in July, and my name was included into the credit
statement of that quarterly security alert.
Best regards,
Sayan Malakshinov
Oracle performance tuning expert
Oracle Database Developer Choice Award winner
Oracle ACE
http://orasql.org
On Wed, 13 Jul 2022, 03:15 Clay Jackson,
<dmarc-noreply@xxxxxxxxxxxxx<mailto:dmarc-noreply@xxxxxxxxxxxxx>> wrote:
I agree w/Mladen. It needs to get fixed; but not at your expense. I think the
appropriate places to “report” this are CERT and directly to Oracle -
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
<oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>> On Behalf
Of Mladen Gogala
Sent: Tuesday, July 12, 2022 6:49 PM
To: oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>
Subject: Re: Security privilege escalation
CAUTION: This email originated from outside of the organization. Do not follow
guidance, click links, or open attachments unless you recognize the sender and
know the content is safe.
On 7/12/22 12:19, Noveljic Nenad wrote:
I found a way to escalate privileges from grid to root.
Am I allowed to publish the information on my blog?
Best regards,
Nenad
Don't do it. Once upon a time, I found the way to escalate privileges to SYSDBA
by using external job execution. I published the details on the Usenet. I was
being reproached even 2 years after that. Even my boss at the time asked me
whether I am trying to get the company's databases hacked. Basically, I've got
my 5 minutes of glory and several years of "what were you thinking?". Pete
Finnegan published that there was a vulnerability and I played with the
software, figured out what the vulnerability was, and published the details.
Today, I am sorry that I have. I wouldn't do it today.
Mladen Gogala
Database Consultant
Tel: (347) 321-1217
https://dbwhisperer.wordpress.com<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdbwhisperer.wordpress.com%2F&data=05%7C01%7Cclay.jackson%40quest.com%7C84799003769a4761d0a408da6471daed%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637932737431367443%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=y0oUGvF54Qn%2BWLm0vckfxGeG7mcqqc5kRxEOcQKEpd0%3D&reserved=0>
-- //www.freelists.org/webpage/oracle-l
____________________________________________________
Please consider the environment before printing this e-mail.
Bitte denken Sie an die Umwelt, bevor Sie dieses E-Mail drucken.
Important Notice
This message is intended only for the individual named. It may contain
confidential or privileged information. If you are not the named addressee you
should in particular not disseminate, distribute, modify or copy this e-mail.
Please notify the sender immediately by e-mail, if you have received this
message by mistake and delete it from your system.
Without prejudice to any contractual agreements between you and us which shall
prevail in any case, we take it as your authorization to correspond with you by
e-mail if you send us messages by e-mail. However, we reserve the right not to
execute orders and instructions transmitted by e-mail at any time and without
further explanation.
E-mail transmission may not be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete. Also
processing of incoming e-mails cannot be guaranteed. All liability of Vontobel
Holding Ltd. and any of its affiliates (hereinafter collectively referred to as
"Vontobel Group") for any damages resulting from e-mail use is excluded. You
are advised that urgent and time sensitive messages should not be sent by
e-mail and if verification is required please request a printed version.
Please note that all e-mail communications to and from the Vontobel Group are
subject to electronic storage and review by Vontobel Group. Unless stated to
the contrary and without prejudice to any contractual agreements between you
and Vontobel Group which shall prevail in any case, e-mail-communication is for
informational purposes only and is not intended as an offer or solicitation for
the purchase or sale of any financial instrument or as an official confirmation
of any transaction.
The legal basis for the processing of your personal data is the legitimate
interest to develop a commercial relationship with you, as well as your consent
to forward you commercial communications. You can exercise, at any time and
under the terms established under current regulation, your rights. If you
prefer not to receive any further communications, please contact your client
relationship manager if you are a client of Vontobel Group or notify the
sender. Please note for an exact reference to the affected group entity the
corporate e-mail signature. For further information about data privacy at
Vontobel Group please consult www.vontobel.com <https://www.vontobel.com>.
