[21837] in bugtraq
RE: Oracle Vulnerability Discovered in OID
daemon@ATHENA.MIT.EDU (Jonathan (Listserv Account))
Wed Jul 25 11:31:51 2001
From: "Jonathan (Listserv Account)" <listsmurf@ur.nl>
To: <bugtraq@securityfocus.com>
Date: Wed, 25 Jul 2001 11:08:42 +0200
Message-ID: <CCEOKGDKBCEKHFOIOHAHOEMICFAA.listsmurf@ur.nl>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20010720203726.9871.qmail@web11501.mail.yahoo.com>
> This was covered in CERT Advisory CA-2001-18, posted
> to bugtraq by aleph1 on July 17th. The posting is a
> bit miss leading and has Oracle 8i Enterprise Edition
> listed rather than Oracle Internet Directory (OiD).
>
> - Dave Lee
>
> In CERTs defense OiD does ship with the Enterprise
> Edition, but that is kind of like listing Win2K is
> vulnerable when it is an Exchange issue.
As far as I understand it, Oracle Internet Directory is an LDAP adapter on
top of the Oracle 8i database and will not function without it. Any
vulnerability in the OID might therefore also affect the database itself,
any EE edition already out there on CD or harddrive has that potential
vulnerability lying dormant, waiting until the OID is enabled.
The Oracle Internet Directory is not available as a seperate product, at
least not anymore. So in my very humble opinion - with less than a year of
Oracle experience - it is the Enterprise Edition that is vulnerable. Because
in a world where a DBA might leave the default administrator passwords
intact to make it easier for the next DBA that needs to work on the system,
one cannot be careful enough. Same goes for upgrading and patching; if it
works, why risk breaking it?
OK enough rambling already :)
Cya
Jonathan
