Re: mitigation of oracle/aurora/util/Wrapper and dbms_jvm_exp_perms security issues

  • From: Martin Bach <development@xxxxxxxxxxxxxxxxx>
  • To: Brandon.Allen@xxxxxxxxxxx
  • Date: Thu, 25 Feb 2010 21:12:34 +0000

Hi there!

On 24/02/10 17:36, Allen, Brandon wrote:
> Yes, agreed, but I’d guess that’s a very small minority of all Oracle
> databases, although I have nothing to base that on other than my
> personal experience (I’ve never used XDB).  Certainly those who /need/
> Java should have it installed, but I just think it shouldn’t be included
> by default.

From my personal experience I can tell you that there are a lot of
databases out there that were installed with _all_ possible options
installed, regardless of license status. It's just so easy to fire up
dbca and click next-next-next and end up having 18 or so lines in
dba_server_registry. Not only a licensing problem but can also can cause
severe upgrade headaches with entire component groups invalid.

Quite often such databases don't have their dictionaries patched
either.... I have to admit though that such environments generally
suffered from a lack of attention or even complete absence of the caring
hands of a DBA. Packaged applications using Oracle as a backend come to
mind .... I predict it won't be long until universities struggle with
hacked systems....


Martin Bach
OCM 10g

Other related posts: