Bugtraq mailing list archives
RE: Oracle Vulnerability Discovered in OID
From: "Jonathan (Listserv Account)" <listsmurf () ur nl>
Date: Wed, 25 Jul 2001 11:08:42 +0200
This was covered in CERT Advisory CA-2001-18, posted to bugtraq by aleph1 on July 17th. The posting is a bit miss leading and has Oracle 8i Enterprise Edition listed rather than Oracle Internet Directory (OiD). - Dave Lee In CERTs defense OiD does ship with the Enterprise Edition, but that is kind of like listing Win2K is vulnerable when it is an Exchange issue.
As far as I understand it, Oracle Internet Directory is an LDAP adapter on top of the Oracle 8i database and will not function without it. Any vulnerability in the OID might therefore also affect the database itself, any EE edition already out there on CD or harddrive has that potential vulnerability lying dormant, waiting until the OID is enabled. The Oracle Internet Directory is not available as a seperate product, at least not anymore. So in my very humble opinion - with less than a year of Oracle experience - it is the Enterprise Edition that is vulnerable. Because in a world where a DBA might leave the default administrator passwords intact to make it easier for the next DBA that needs to work on the system, one cannot be careful enough. Same goes for upgrading and patching; if it works, why risk breaking it? OK enough rambling already :) Cya Jonathan
Current thread:
- RE: Oracle Vulnerability Discovered in OID Dave Lee (Jul 23)
- RE: Oracle Vulnerability Discovered in OID Jonathan (Listserv Account) (Jul 25)