Oracle 9i Isn't Quite Unbreakable 113
BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com.
For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."
It's a Win-Win for Larry (Score:3, Funny)
Re:Well, we all knew... (Score:3, Interesting)
As a SysaAdmin (who never explicitly subscribed) to any of the 3 CMP [cmp.com]/techweb publications I now receive weekly/biweekly/monthly or the electronic C|net [cnet.com] shite I'm now eternally a "customer" of, it's pretty obvious who pays the bills for the (largely) waste of bandwidth reviews they provide. Wake up... they aren't going to bite they hands that feeds them - particularly MS or Oracle.
While you/I/every other jaded IT employee with half a brain can be critical of this two faced advertising driven BS, the individual with a tight grip on the purse strings for IT expenditures is getting the same mailings & treating them as dogma - because he doesn't know/care that he's being fed crap with a fancy ribbon around it.
Until the push-periodicals are no longer driven by big bucks advertising contracts & therefor biased coverage of these products, IT "managers" will have a steady supply of bullshit benchmarks & reviews IN WRITING to reinforce & perpetuate their decision making process.
-ct
Re:Well, we all knew... (Score:1)
Re:Well, we all knew... (Score:1)
Just two days ago, my mother asked me if I had seen about that big security problem in the latest version of windows. My mother has used a computer for a grand total of less than an hour in her life, and has no interest in them. She saw it in The Times. So, yes, this latest bug in windows really is getting through to the sort of people who don't have the time or the inclination to read slashdot.
not_cub
Is their Web Site running on Oracle 9i Too? (Score:1)
Oh, hang on [sneath.org], I think I've spotted something
There's a juicy irony in the content of that page...
heh.. makes me wonder (Score:2, Funny)
Nop! They should use PostgreSQL! (Score:1)
PostgreSQL [postgresql.org]
Another Oracle problem not mentioned in post (Score:4, Informative)
Everytime someone bashes Microsoft (Score:1)
http://www.securityfocus.com/vulns/stats.shtml
And we pull this link for the 100'th time because we like to show that the only patch that works is the SYSADMIN/ADMINISTRATOR patch.
To bad they can't be downloaded from the net.
Re:Everytime someone bashes Microsoft (Score:1)
If anyone is running lpd, SunRPC, Telnet, FTP, etc on an internet facing server, they deserve what they get.
Compare apples and apples, compare IIS to Apache. Same goes for IE and Outlook of course, you can't lump Outlook holes into those kind of stats either, although IE is fair game, since webapps can require IE, even if it's not explicitly open, it is still vulnerable.
I see one maggot, it all gets thrown away -- My fiancee [nhdesigns.com]
So what? (Score:4, Insightful)
Re:So what? (Score:1)
Re:So what? (Score:1, Interesting)
Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.
Suuuure, let's just keep the internal networks completely insecure. Afterall, all attacks are done from the outside, we can always trust our employees, right? Not. Firewalls are a nice addon, but they're giving a false sense of security if you still keep your systems behind these firewalls unpatched, out-of-the-box-installed and poorly configured. Reports show that up to 80% (I think it was) of attacks happen from the inside.
Re:So what? (Score:2)
If you're going to make up statistics... (Score:2)
At least try to confirm them. :P
A Google search [google.com] returns this article [bbc.co.uk] first that claims 70%, and carried some credibility.
That article, however, was three years old, and I have to wonder if that statistic has changed with the proliferation of script kiddies and root kits. Perhaps "successful attacks" are that high, but in our company, we see attacks almost constantly from the outside, generally automated I grant you, but they are still attacks, whereas I doubt there have been very many inside attacks in our company of 6 people, two of whom are accountants.
Re:So what? (Score:2)
Of course security on an internal machine is important, but let's be realistic. Someone inside your network is likely in a position to sniff the unencrypted connection to Oracle. In that case, they have access to the only interesting thing on the box. And Oracle's logging is so poor (you can't log each query) that you will never know what they did.
Re:So what? (Score:1)
Re:So what? (Score:1)
Databases are in common use on internet-facing applications, that need to deliver stateful behavior. Think of 9IAS as an Apache server with an Oracle backend. No matter where you put it, there will have to be a tunnel to port 80. If it's a public application, such as an ecommerce website, that tunnel will lead to the internet. As others have pointed out, in larger enterprises this server's vulnerability to internal attack may also be a problem.
Needless to say, any dbms that carries useful information must be secure.
Re:So what? (Score:1)
Yes, but a security-conscious organization will ensure that the webservers and the database/application servers are on separate machines, separated by a firewall (in addition to the border firewalls at the edges of the DMZ). If you run everything on the same box, it only takes a single hole in any part of it to compromise the whole shebang.
Re:So what? (Score:1)
Re:So what? (Score:1)
Regarding CatherineCornelius's remark that any database that carries useful information must be secure, bzzt, sorry, wrong answer: any exposed service must be secure. The attackers aren't interested in what you have on your box -- that's just gravy. What most of them are trying to acquire is bandwidth for building their DDoS networks (and relays for bouncing IRC off of), and they don't bother to check what you're doing with your hardware before they attack it. All they need to know is that you have bandwidth and a vulnerable service.
On the other matter of the prevalence of internal attacks, I think the huge number of automated attacks running now has rendered the famous 70% mark long obsolete. Think of Nimda & Code Red. The vast majority of attacks are indiscriminate and external.
For specific attacks against this particular service, these might be carried out by locating Oracle 9i Apache servers using netcraft, or by searching inventories already collected by potential intruders.
The important thing to remember about firewalls is that they don't take the place of host-based security. Once someone finds a way to compromise a host behind the firewall, your entire network is exposed, so if you're not taking care to secure the hosts anyway, you're facing a potential total meltdown.
BTW, protecting against this particular vulnerability might be a good application of Hogwash.
Re:So what? (Score:1)
Safe?
Actually, I recall a lot of statistics indicating there is a considerable number of attacks on servers originating from INSIDE the firewall. Done by employees.
Mind you, the servers at the company I work for are doubly firewalled (outside and inside), but people still need to use the databases and other services so there need to be some holes in the internal firewall, potentially making the servers vulnerable for attacks. Despite the firewalls there are still a lot of things to worry about...
Defence in depth is the key (Score:1)
The reason for this is that configuring a perfect firewall is near-impossible. Even if it were, it is easy to breach this security by opening the wrong port. If the rest of the infrastructure is secure, though, the firewall becomes a way of covering unanticipated (or as yet undiscovered) security holes. Security systems like firewalls only buy you time: if a new vulnerability appears they will keep you safe until a patch is available, but if you never apply the patch, the firewall will eventually be breached and your data exposed.
You can't rely on security systems to make safe systems which are intrinsically vulnerable. So, a secure database of the kind Oracle are trying to deliver makes a significant contribution to Internet security, even if such systems properly should be behind a firewall.
Of course nothing is unbreakable (Score:2, Insightful)
Now for my beef-
As some other poster has in his/her sig, the more good comments you right the greater the chance you get modded down! (Gee, how long until this post gets "offtopic" (even though the first paragraph deals with the topic) or flamebait (for speaking about the bias that occurs here?)
Hint for newbies, always LOVE Linux, always HATE Microsoft, be ambiguent about MaxOSX, and speek a lot of "Elite" words like symmetric anal rapings- 'cause you would be in jail And I mean IN
Re:Of course nothing is unbreakable (Score:1, Flamebait)
-1 Bitter
-1 Slow typist
-1 Way off topic
+1 Vocabulary!
Total= -3(OT)
No, the moderator thing works. You just need to say something really intelligent before anyone else.
Look at my recent comments and my moderation totals [slashdot.org]
Re:Of course nothing is unbreakable (Score:1)
But, haha. Look, my karma goes up already.
Must be my really low user id. Everyone thinks I'm smart cuz I've been here so long
Moderators: If you have to look up any of the terms I've used, don't moderate me. You're probably confused. Read the Moderator Guidlines [slashdot.org] before doing anything drastic.
Re:Of course nothing is unbreakable (Score:1)
Nah
Re:Of course nothing is unbreakable (Score:2, Interesting)
In my original submission I pointed out how the notice of this Oracle exploit occured the same day as the XP hole, yet guess which one made it to
Apparently whoever decides which submissions are valid edited this little fact out. Granted, the XP hole is HUGE and Microsoft is absolutely clueless when it comes to security, but Ellison and the trade mags hyped 9i's being "unbreakable" to the moon. It took forever for
The people who run
My rambling point is that
Nobody in their right mind..... (Score:4, Insightful)
Re:Nobody in their right mind..... (Score:2)
This is just a technical quibble: It is possible to disprove a theory which predicts an observable fact. Here is the counter-example to your statement:
On a clear day, theorize that the sun is up. Observe that it is indeed up. Theory proven.
This is a trivial and stupid example; the sun is easy to see. But if you were to theorize the existance of a planet, and some one found it where you said it should be (wasn't that the case with Pluto?), it wouldn't seem quite so trivial.
Re:Wrong (Score:1)
One of the true achievements of the 20th century was the philosophical understanding that the meaning of a word (in this case "proven") is not definable by anything else than the sum of its usage. To say that we cannot have absolute knowledge on the workings of our programs is to take the first step towards a solipsistic view of the world (we cannot know anything with certainty, thus I assert nothing more than that I exist).
I am willing to debate any solipsists on slashdot on this subject. I am also quite willing to debate those who have not understood the lessons of Wittgenstein, thus making uneducated statements on epistemology to the effect of "software cannot be theoretically unbreakable".
I find it strange that while most people have some knowledge on what the new findings in physics since the 17th century are, virtually no one knows in what way philosophy have progressed.
Re:Nobody in their right mind..... (Score:2)
(Just a note, I'll bet there is probably a nice flaw in every C/C++ program I've ever written. I've got the only Hello World that can get you rooted, sheesh.)
--Josh
Oracle9i Database vs. Oracle9i Application Server (Score:5, Informative)
Oracle9i Application Server is basically Apache 1.3 bundled with Orion Application Server and and embedded (yes, embedded!) Oracle database server used for data caching. There are a variety of add-ons included as well, depending on how many tens of thousands of dollars (per processor) one wants to spend.
Also, Larry's term "unbreakable" refers not just to security issues but also availability and scaleability.
Re:The Distinction is Very Important (Score:5, Informative)
>mission-critical, Enterprise-level applications.
>It's great for serving web-pages out of your
>dorm-room, but for a $$$ piece of software like
>Oracle 9i, I don't know.
>you are never going to be able to fully vet a
>piece of software like Apache that was developed
>by non-professionals
Why are you spreading fud like this ? what is your hidden agenda ?
Many professional programmers particularly from IBM and SUN participate to the Apache project, plus, IIS has been developed by so called professionals, well sorry, it's not particularly known for it's robustness.
Please check out your facts before posting uninformed posts, or stop spreading fud.
Re:The Distinction is Very Important (Score:1)
hehe.. now its your turn to stop the FUD. You wouldn't by chance be a linux supported would you? Bias is the basis for FUD which your post exhibits wonderfully.
Re:The Distinction is Very Important (Score:2)
*notices all the geeks waving hands saying oh oh I know*
Heres a clue: it's not Apache.
Buffer overflows (Score:2, Interesting)
Sure, I've seen fixed size buffers with no checking, or calls to malloc with no checking, on ancient Unix code written in C dating back to the 1980s, but surely nobody has written gibberish like that for years?
Or are there still hordes of new graduates, with no commercial training or experience, let loose on real products with no checking of their work?
Who said Oracle is unbreakable? (Score:2)
I know this is not relevant, but.... (Score:1)
Well, you didn't have to wait for it since last year, when the NIC [thinknic.com] computer came out, one of Larry's brainchilds [thinknic.com].
Memory Models (Score:2)
hats off to ellison (Score:1)
unbreakable == unsinkable (Score:1)
Also, the security adage comes to mind: security is a process, not a product.
buffer overflows.... (Score:1, Interesting)
To my limited understanding of what these vulnerabilities are, they could be fixed by a few simple IFs when recieving things into the bugger. I know programmers typically often expect things to work, and dont built in checks against everything which a user (or a socket) could throw at them, whether through stupitidy or maliciousness, but on products like this or XP, you'd think they WOULD bother with error-checking. Perhaps 70% of my web application [dnbscene.com] is error-checking and idiot-proofing: laborious, but if an amateur hack like me can do it in the unpaid coding of a tiny website, why cant professionals?
And most of all... Surely common weaknesses can be handled by a common error-checking routine?
ie, they write buffer_overflow_check(buffer,incomingdata) and religiously use it every time? This way any security flaws will affect every buffer use in the whole program equally - making them easier to spot, I would have thought - and by the same token, if there are no flaws, the whole program is safe.
AND its easier to debug and patch.
Perhaps a better programmer than me could explain why this isnt possible?
OR, just use strncat, strncpy, etc. (Score:2)
In the end, the ultimate issue is the use of a programming language (C or C++) that provides no memory management or garbage collection. Memory management issues lurk behind a vast number of the bugs and exploits you hear about, and on that fine day when people start executing their code in memory-managed sandbox environments, the world will be a safer place. Unfortunately C will likely be in heavy use for the next twenty years and exist in legacy code until you die, so maybe learning how to find overflow exploits is a good career move.
Re:OR, just use strncat, strncpy, etc. (Score:2)
You're better off writing your own.
Re:OR, just use strncat, strncpy, etc. (Score:2)
A better set of functions to use is the strl* functions [usenix.org] invented by OpenBSD's Todd Miller.
Monopoly on bugs (Score:4, Insightful)
Oh, the self-righteous smarniness of chauvinists everywhere. If we needed more proof that Microsoft does not hold a monopoly on bugs, one only need look at any major open-sourced project. The Changelog for the Linux kernel, for instance, documents beaucoup bugs that users were living with on their OS (forget about their DB, which as someone else pointed out is most likely stashed away behind a firewall anyways). Why does such bugginess there not bear the same level of ridicule ?
Re:Monopoly on bugs (Score:1)
Re:Monopoly on bugs (Score:1)
Hmm... because those bugs are fixed much faster? or maybe because they TELL us about them, instead of keeping 'em hidden like Microsoft [kmfms.com].
Nice fact-checking, Timothy (Score:5, Insightful)
You'd think they'd be a big hit with the Slashdot set seeing as they boot Linux with X off a CD, and have Ethernet, USB, a modem and VGA support built in, all for $200. I guess lame jokes predicated on them not existing are more fun.
Re:Nice fact-checking, Timothy (Score:2)
My only gripe, is that the fans could be a *bit* quieter, and the keyoard is one of those stupid ones with all the extra 'internet' buttons. I just throw it away and use an normal one.
network computer (Score:2, Insightful)
When will vendors learn? (Score:2, Interesting)
Just as there is no truly free lunch, nothing is truly "unbreakable".
We've said it before so lets go once more around the old oak tree: When you claim something is unbreakable you 1) Immediately mobilize an army of dorks trying to prove you wrong and 2) Are lying to sell more goods since nothing in this universe is truly unbreakable.
Even the our beautiful Earth will one day be burnt to cinders when the Sun expands before dying...
Has anybody that isn't as paranoid as me considered that this may have been a reasoned move on the part of Oracle? (Or on the part of any company that has claimed it's software to be "Unbreakable"...) After all, QA people cost money. It would be relatively simple to do a short QA on functionality, call it unbreakable, and let somebody else find the "show-stopper" bugs for you, for free. For the myopic business man, this looks like a win-win.
"If I say it's unbreakable, and nobody finds any problems, we sell $1 billion worth of software and I'm happy...if they find bugs I can always say all software has bugs and we'll have found a big problem without paying QA an extra month's salary to find it."
this proves my point (Score:1)
When they came up with the tagline "Unbreakable".. (Score:1)
Chris
oracle.com security hole.. (Score:2)
http://www.devitry.com/security.html [devitry.com]
As an oracle employe.... (Score:1)
AJ
But, the bug is worse with a MSFT OS! (Score:2)
"On Microsoft Windows NT/2000 systems this may mean that the attacker-supplied code is executed with SYSTEM level privileges, as this is the privilege level that the Apache process runs under. On other operating systems successful exploitation may merit local access for the attacker. "
Re:But, the bug is worse with a MSFT OS! (Score:1)
configure what user a service runs as. Moreover
unlike Unix you don't need to have webservers
running as root and then rely on them giving up
their privileges correctly.
Bill vs Larry (Score:1)
Bill, Larry, everybody knows you guys don't like each other. Now why don't you just take this little spat to email.
So what? (Score:2, Insightful)
If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.
Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.
I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.