Re: cpu patch
- From: Stefan Knecht <knecht.stefan@xxxxxxxxx>
- To: joan.hsieh@xxxxxxxxx
- Date: Fri, 11 Sep 2009 19:20:49 +0200
Hi Joan
This really depends on the kind of vulnerabilities the patches fix IMHO --
which varies between each one of them. Consider this for example:
- Your hacker has access to an account in your "non-critical" DB
- There's an unpatched vulnerability that lets authenticated users gain DBA
privileges
- He gains those privileges in your "non-critical" DB.
- He can now do whatever the oracle user on that system can do
- For example, update $HOME/.ssh/authorized_keys with his own key
- He then has shell access (and if your OS is as poorly patched as your
database, he'll soon have root as well)
- It's then easy to capture other valuable information, such as password
laying around in scripts, or do many naugthy things
- And perhaps your environment has a few (or even just 1) sys password
- And he will very soon have access to the oracle user on different servers
(including your more "critical" ones).
Just some random thought, I'm sure others have other ideas ;-)
Stefan
=========================
Stefan P Knecht
CEO & Founder
s@xxxxxxxx
10046 Consulting GmbH
Schwarzackerstrasse 29
CH-8304 Wallisellen
Switzerland
Phone +41-(0)8400-10046
Cell +41 (0) 79 571 36 27
info@xxxxxxxx
http://www.10046.ch
=========================
On Fri, Sep 11, 2009 at 6:38 PM, Joan Hsieh <joan.hsieh@xxxxxxxxx> wrote:
> Hi Listers,
>
> I have one question regarding the cpu patch. We have some databases which
> are not data sensitive at all. For example, like scheduling, web. etc. I am
> wondering if cpu patch is necesscery to patch every quarterly on these
> servers. Is there any security concern that hackers can hack other important
> databases( like FM, HR) via these databases. All the databases share the
> same tnsnames.ora on the share drive.
>
> Thanks,
>
> Joan
>
>
> --
> //www.freelists.org/webpage/oracle-l
>
>
>
Other related posts:
