Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Emergency Workaround For Oracle 0-Day

kdawson posted about 6 years ago | from the maybe-somebody-shorted-the-stock dept.

Security 152

Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.

cancel ×

152 comments

Sorry! There are no comments related to the filter you selected.

Whoops, that was my fault (4, Funny)

Anonymous Coward | about 6 years ago | (#24396159)

I sent the email to 0racle. Too much l33tness, sorry.

Re:Whoops, that was my fault (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#24396357)

I went to Africa and said "Hey, look at all the niggers!". Now THAT is l33tness. Apology accepted.

Fix your shit. (-1, Troll)

Anonymous Coward | about 6 years ago | (#24396165)

So what if they didn't inform Oracle first? Oracle released software with a hole. They should have done a good security audit. (That might not of caught it, but the fact is that they didn't, guaranteed.)

Fix your grammar (2, Insightful)

MrNaz (730548) | about 6 years ago | (#24397255)

I'd comment on the absurdity of your comment, but it's much more fun to point out to trolls that their grammar stinks.

It's "might not have caught it", although, we all expect trolls to have the linguistic skills of neanderthals.

I forgot (-1, Redundant)

Anonymous Coward | about 6 years ago | (#24396169)

I forgot to let Oracle know first. Forgive me.

Re:I forgot (2, Insightful)

snl2587 (1177409) | about 6 years ago | (#24396307)

What a surprise! They were exploited by an actual hacker. Whodathunkit?

Re:I forgot (0)

Anonymous Coward | about 6 years ago | (#24396435)

This is a troll? In what way?

Re:I forgot (0)

Anonymous Coward | about 6 years ago | (#24396489)

Somebody didn't like it and did not have the balls to argue against it since that might expose them to refutation. Therefore, it's a troll. You must be new here.

Re:I forgot (0)

Anonymous Coward | about 6 years ago | (#24396717)

Oracle != Microsoft. Therefore, it can't be hacked (this was a feature, not a bug).

Re:I forgot (1)

ya really (1257084) | about 6 years ago | (#24396607)

I forgot to let Oracle know first. Forgive me.

Sureee...let me guess, you would have contacted Oracle, but you were too much of a coward and figured they might find out who you were.

Haha! (5, Informative)

Anonymous Coward | about 6 years ago | (#24396177)

Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?

Re:Haha! (0)

Anonymous Coward | about 6 years ago | (#24396329)

Remember being rooted once just because I fell asleep and left oracle running overnight. Whats a few hours of Internet access for ORACLE to a crap test system? Apparently enough to get 0wned.

Oracles code base is ancient crap. (See constant barrage of security exploits and stone aged concepts like '' is null)

Re:Haha! (-1, Troll)

Anonymous Coward | about 6 years ago | (#24396501)

I had a similar experience. I installed Oracle on my linux box and forgot about it. One night, My router was acting up, so I was bypassing it (and it's firewall protection). I fell asleep and when I woke up, a smelly hippy guy was giving me a blowjob. It was really weird, and I didn't know if I should tip him or not. The scariest moment was when I woke up and didn't know if it was a girl or dude.

Re:Haha! (1, Funny)

Anonymous Coward | about 6 years ago | (#24396555)

It was RMS, you insensitive clod!

Re:Haha! (0)

Anonymous Coward | about 6 years ago | (#24397227)

Now there is mod with no sense of humor. What administrator hasn't woke up to a man giving them a blowjob? Noob.

p.s. I'm not the same AC

Re:Haha! (0, Offtopic)

AI0867 (868277) | about 6 years ago | (#24398291)

Hah, everyone knows Bruce Willis is vulnerable to water. Maybe this exploit includes drowning the server?

fuck unbreakable. it sucks. (3, Interesting)

nimbius (983462) | about 6 years ago | (#24399387)

I remember coming in every other morning in the office to restart our oracle concurrent manager servers because they had mysteriously gone haywire somewhere between their backend and apache interface.

I remember teams of expensive consultants, weeks without sleep and 24/hr oncall in order to restart crashed IStore servers

this was when i worked for a certain popular bed company. i also remember our oracle DBA's primary solution being to "reboot all the oracle servers" when something was wrong. his "learn oracle from oracle" book clenched firmly in hand. I remember the database running as a privileged user with full passwordless sudo, as per our oracle reps insistence. i remember files stored at access 777 and no one caring. more power to the 0-day exploits. people need to know this software isnt indestructible just because marketing says it is.

Re:fuck unbreakable. it sucks. (3, Interesting)

hanshotfirst (851936) | about 6 years ago | (#24399811)

Your DBA's didn't know what they were doing. Was this an Oracle sales rep or a technical consultant? They were clueless too - there is NO reason to run the Oracle database in that way. I can't speak to the Istore or concurrent manager stuff, but if their lack of knowledge on the core database product was this bad, I can only imagine...

Re:Haha! (1)

tha_mink (518151) | about 6 years ago | (#24400107)

Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?

I'm constantly amazed that companies (and fan boyz) still have the stones to make that claim about anything. Same with Mac..."It Just Works"...

nice timing (5, Funny)

Anonymous Coward | about 6 years ago | (#24396227)

This would seem to be a pretty decent answer to the previous thread (How do geeks get exercise).

Re:nice timing (5, Funny)

jd (1658) | about 6 years ago | (#24396641)

Hmmm. Is it indoors? Check. Lots of sweating? Check. Potential for heart attacks in unfit people? Check. Ok, it meets the criteria.

Re:nice timing (1)

KinkyClown (574788) | about 6 years ago | (#24397099)

I skipped that article because I read 'How do Greeks get excercise'... I see enough porn as it is...

Unbreakable (0)

Anonymous Coward | about 6 years ago | (#24396233)

Now would be a good time to pull out one of those Oracle "Unbreakable" spots :)

Re:Unbreakable (5, Informative)

dannycarroll (180967) | about 6 years ago | (#24396313)

This exploit affects the Weblogic product. Oracle only acquired that a few months ago.

It's got squat to do with the DB product.

Re:Unbreakable (2, Informative)

Anonymous Coward | about 6 years ago | (#24397273)

very true, it is only the patch from 2 weeks ago for the other 45 vulnerabilities we have to worry about :(. God I hate there quarterly patch cycle, too many important security patches mixed up with other stuff that needs extensive testing before deployment.

Re:Unbreakable (2, Interesting)

BoRegardless (721219) | about 6 years ago | (#24397285)

Come on now. If a bad ass programmer wants either fun or profit he can put in an exploit which can act as a back door. If it isn't caught, he can later decide to use it one way or another.

How about some serious automated debugging routines, known error and bug checks that are documented and a mandatory human based coding review in a systematic way that tells a how well the coding is being done from the start.

Re:Unbreakable (1)

MadKeithV (102058) | about 6 years ago | (#24398103)

(only somewhat tongue-in-cheek)
Do you have any idea what that kind of checking costs?

Re:Unbreakable (2, Interesting)

Markspark (969445) | about 6 years ago | (#24398231)

Apparently not TOO much, since Ericsson and Sony Ericsson both do code audits, with senior programmers questioning every single line of code. (Yes, i have friends who work there)

Re:Unbreakable (2, Interesting)

MadKeithV (102058) | about 6 years ago | (#24398319)

Great! I'm applying for a job there, since it seems management has half a clue at least!

They have backpeddled (4, Interesting)

stimpleton (732392) | about 6 years ago | (#24396239)


"Oracle: can't break it; can't break in"

Re:They have backpeddled (0)

Anonymous Coward | about 6 years ago | (#24397093)

It's Oracle? It's broken.

That's why I use... (2, Funny)

bennomatic (691188) | about 6 years ago | (#24396325)

...pen and paper.

Re:That's why I use... (4, Funny)

The MAZZTer (911996) | about 6 years ago | (#24396693)

Can I watch you insert and sort and group 45000 rows of data? That's gotta be a sight to behold.

Re:That's why I use... (5, Funny)

ruiner13 (527499) | about 6 years ago | (#24397083)

SQL: >select * from pages(start=1,end=1222) order by name asc
[command executing...]
[timeout ID-10-T - CPU has entered sleep mode]
/usr/bin >

Re:That's why I use... (0)

Anonymous Coward | about 6 years ago | (#24397443)

Well, you can watch me do it. I should warn you I'm equipped with some amazing compression and encryption as well, you would probably say that it looks like a small amount of chicken scratches.

Worthless (5, Funny)

jlarocco (851450) | about 6 years ago | (#24396335)

For christ's sake. At least link to the fucking Oracle page [oracle.com] .

If I wanted to read ZDNet, I'd just go to fucking ZDNet.

Re:Worthless (1, Funny)

Anonymous Coward | about 6 years ago | (#24396671)

Lose the language, you unrefined ruffian. Do you talk to your mother with that mouth? Do you think it makes your point (or lack thereof) stronger? Got masculinity issues?

Re:Worthless (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#24396769)

Awesome, I like being off topic too, just so I can assert my authority over others.

Look, I'm not lying, this post just proved it.

(Anyway, thanks for the worthless comment but jlarocco is right, why link to another regurgitation site about an alert that came from Oracle itself?)

Re:Worthless (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#24396855)

Yah, whatever jlarocco. You're so clever. Nobody sees through your little misdirection. Laughable.

One man's ruffianity... (5, Insightful)

Capt. Skinny (969540) | about 6 years ago | (#24397061)

One man's unrefined ruffianity is another man's unconscious vernacular.

Moving to a university research lab after five years in IT at a paper mill in East Bumville, I really had to make a conscious effort to unlearn the conversational vernacular that I had picked up over the last few years.

Oh, and I believe the correct expression is "Do you kiss your mother with that mouth?"

Re:One man's ruffianity... (5, Funny)

ozphx (1061292) | about 6 years ago | (#24397969)

And the correct answer is "No, but I kiss yours."

Re:Worthless (1)

ssintercept (843305) | about 6 years ago | (#24397355)

Pull your skirt up. You're mumbling.

Re:Worthless (1)

BiggerIsBetter (682164) | about 6 years ago | (#24398573)

Pull your skirt up. You're mumbling.

You can see the lips moving, but you can't hear what they're saying?

I thought that was more of a problem with tights than with skirts...

It could of been worse. (1)

will_die (586523) | about 6 years ago | (#24397943)

It could of been a standard kdawson article were we were given a link to a blog which linked to the zdnet or more likly wired article.

Re:Worthless (0)

Anonymous Coward | about 6 years ago | (#24398861)

Is it becoming popular to fuck companies? I need to keep up...

Re:Worthless (1)

StormReaver (59959) | about 6 years ago | (#24399857)

"For christ's sake. At least link to the fucking Oracle page. "

In Soviet America, Oracle fucks you.

Another victim of C/C++ lack of array safety (0, Flamebait)

Animats (122034) | about 6 years ago | (#24396455)

The C/C++ defect that the compiler has no idea of the size of an array claims another victim.

Let me fix that for you (4, Interesting)

achurch (201270) | about 6 years ago | (#24396575)

Not that TFA says anything about whether C or C++ are actually involved, but:

The C/C++ feature that the compiler has no idea of the size of an array claims another example of misuse.

The lack of array size information is a feature of C/C++, and a well-known one at that. If you don't know how to deal with it, you shouldn't be using the language, much less talking about it.

Re:Let me fix that for you (1, Interesting)

Anonymous Coward | about 6 years ago | (#24396859)

Maybe the BEA coder declared a fixed-length array of 4000 characters either on the stack or an instance variable, to hold the HTTP Post URL.

Why 4000? Well I noticed that in the exploit code. It's also mentioned here [boutell.com] ,
as the internal URL limit enforced by Apache.

Re:Another victim of C/C++ lack of array safety (5, Informative)

SpazmodeusG (1334705) | about 6 years ago | (#24396643)

C++ does know the size of arrays. That's why you call call delete [] myArray; without specifying the size of the array.
What C++ doesn't do is test if the index is out of bounds every time you access the array. It makes it faster but you should remember to put the test in if the index isn't guaranteed to be correct.

Re:Another victim of C/C++ lack of array safety (0, Redundant)

SpazmodeusG (1334705) | about 6 years ago | (#24396897)

Actually a better example of C/C++ knowing the size of the arrays would of been the sizeof() operator. Anyway the point still stands, C/C++ intentionally don't test array bounds.

Re:Another victim of C/C++ lack of array safety (3, Funny)

cicatrix1 (123440) | about 6 years ago | (#24397973)

Actually a better example of C/C++ knowing the size of the arrays would of been the sizeof() operator.

You're thinking of the infamous `size've` operator.

Re:Another victim of C/C++ lack of array safety (1)

larry bagina (561269) | about 6 years ago | (#24397019)

By that standard, C does too: realloc and free need to know the size.

Re:Another victim of C/C++ lack of array safety (2, Interesting)

lee1026 (876806) | about 6 years ago | (#24397503)

Not always. Suppose if I do something like this:
void *ptr = malloc(1000);
foo(ptr+4);

Now, in foo, the correct answer to the size of array being passed to it is 996. But the language does not know that.

Re:Another victim of C/C++ lack of array safety (1)

petermgreen (876956) | about 6 years ago | (#24399567)

C++ does know the size of arrays.
Not quite, C and C++ know the size of memory blocks allocated with malloc or new and can retrive that information given a pointer to the start of the block.

What they don't know is given a pointer to an array whether that pointer points to the start of a memory block on the heap or to an array on the stack or to part of a larger array on the heap.

This makes it rather difficult to add strong bounds checking in a way that doesn't break existing correct code.

Re:Another victim of C/C++ lack of array safety (4, Funny)

Anonymous Coward | about 6 years ago | (#24396661)

And Princess Diana is a victim of cars lack of a 30 MPH speed cap.

Re:Another victim of C/C++ lack of array safety (1)

florescent_beige (608235) | about 6 years ago | (#24396749)

That's flamebait but nonetheless...

It's not as if Java never [securityfocus.com] had [sun.com] any [securitytracker.com] buffer [uni-stuttgart.de] overflows [gnu.org] .

As for C/C++, with great power comes great responsibility, either that or for the love of Pete use an std::vector.

Re:Another victim of C/C++ lack of array safety (1)

JNighthawk (769575) | about 6 years ago | (#24396887)

When I was developing a game for class, I initially began using std::list to store my entities. With more than a trivial amount, it was extremely bogged down. When I swapped that over to an inline linked list built into the class, I gained about 4x performance.

The STL is *not* useful for time-sensitive applications.

Re:Another victim of C/C++ lack of array safety (0)

Anonymous Coward | about 6 years ago | (#24396981)

Let me guess, you used STL lists like this:

std::list<GameObject> myObjects;

You probably should've used it like this:

std::list<GameObject*> myObjects;

otherwise a lot of performance may be lost when STL shuffles items around.

Re:Another victim of C/C++ lack of array safety (1)

smellotron (1039250) | about 6 years ago | (#24397447)

Not sure if this is relevant to your situation, but I've found that GNU std::list sucks compared to almost any other data structure. Never bothered to check why, I now just try to avoid it. Sorry, but you happened to stumble upon the worst of the lot.

If you think you can beat std::vector... good luck. You won't, for any non-POD type.

Re:Another victim of C/C++ lack of array safety (4, Informative)

MadKeithV (102058) | about 6 years ago | (#24398173)

The thread is talking about arrays, and you mention std::list. Right, C++ standard library golden rule #1: always use std::vector, unless you have a really, REALLY, REALLY good reason to use something else. See also one of the other child posts.
std::vector is the array replacement. It has good random access speed. It is guaranteed to use contiguous memory. If it's not fast enough that's probably because you are allocating memory because you are storing by value and the STL makes a lot of copies of stored values internally in many operations(see other child post) - and that can be solved without defaulting to pointers by using a custom allocator.
If any of this seems too complex to you, you shouldn't have been bothering with performance-critical C++ yet, and learning more about the language and libraries first. I recommend the book "Efficient C++" [google.be] by Dov Bulka and David Mayhew as an introduction, and "Effective STL" [amazon.com] by Scott Meyers for more on the standard library.

Re:Another victim of C/C++ lack of array safety (4, Funny)

ByOhTek (1181381) | about 6 years ago | (#24396963)

or for the love of Pete use an std::vector.

What's love got to do with it? In fact, if you go for money, you are probably more likely to find a good std::vector. Sorry, old joke. Couldn't resist.

Re:Another victim of C/C++ lack of array safety (1)

smellotron (1039250) | about 6 years ago | (#24397489)

Gah, I know it's flaimbait but I can't resist. As has already been pointed out, C and C++ both do know the size of arrays. However, unlike Java, the C and C++ idiom of decaying arrays to pointers causes that information to be lost in the callee. It is intentional behavior, because it is expected that the user (programmer) manages array sizes correctly.

The cost is that programmers who don't know exactly what they're doing run into these problems. The benefit is that the program runs as fast as possible on the target hardware. If that benefit isn't worth the cost, get out of the way, but don't bitch that the language doesn't coddle you. It's not supposed to.

perhaps if they paid ... (4, Insightful)

SlashWombat (1227578) | about 6 years ago | (#24396475)

I would have thought that an exploit like this would be worth a huge amount of money ... For Oracle, but now for the great pool of unwashed out there.

It strikes me that if Oracle (and other HUGE software vendors) were to offer substantial cash incentives to find holes as gaping as this one obviously is, that the exploit would have been reported directly to Oracle. By substantial i mean in excess of 100,000 euros. (I would have said US dollars, but that currency isn't worth much any more!)

Re:perhaps if they paid ... (0)

Anonymous Coward | about 6 years ago | (#24396757)

The fact that its been released probably just means that Oracle didn't pay whatever they demanded.

Re:perhaps if they paid ... (1)

Jeffrey Baker (6191) | about 6 years ago | (#24397147)

The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these. The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.

Re:perhaps if they paid ... (5, Informative)

rubycodez (864176) | about 6 years ago | (#24397223)

this is an article about an exploit in the BEA Weblogic J2EE Server, which until very recently had nothing to do with Oracle (the company) at all nor Oracle (the DBMS)

I can't believe all the tards here going off about Oracle's DBMS code base.

Re:perhaps if they paid ... (1)

Jeffrey Baker (6191) | about 6 years ago | (#24397233)

I don't care what label they put on it: it's still unsafe native code garbage. You will note from the exploit and discussion that the problem lies in mod_wl.

Re:perhaps if they paid ... (1)

smellotron (1039250) | about 6 years ago | (#24397521)

One man's garbage is apparently another man's paycheck. Some people's jobs are based around writing unsafe native code (be it C, C++, or assembler), because nothing else is fast enough.

Re:perhaps if they paid ... (2, Insightful)

enosys (705759) | about 6 years ago | (#24397409)

The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these.

Do you mean how they pay employees and some of those employees are involved in testing and debugging? That's not the same as paying for vulnerabilities. Do those employees get a bonus for finding vulnerabilities? What about if someone who is not an employee finds a vulnerability?

The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.

True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle.

Slippery backfiring slope... (1)

Animaether (411575) | about 6 years ago | (#24398971)

"True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle."

Actually, I think it would make security researchers (white hat) and 'security researchers' (black hat) far more likely to not contact Oracle with full details as they may have in the past, and instead tell Oracle "we've found a vulnerability. For $100,000 we will tell you what it is. For $0 we will tell... other ...interested parties." ( where other interested parties may be baddies or the public at large; either way rather undesirable. )

I'm not saying that everybody would suddenly get dollarsigns in the eyes - but certainly many would be tempted.. given that this would essentially be legal extortion.

It's a fucking Oracle !! Should it have known ?? (2, Funny)

Anonymous Coward | about 6 years ago | (#24396509)

Some Oracle That Is !!

Re:It's a fucking Oracle !! Should it have known ? (0)

Anonymous Coward | about 6 years ago | (#24396763)

The Oracle knew that employees of companies using these databases needed a day off.

What a fucking champ.

"0 day?" (1, Funny)

Anonymous Coward | about 6 years ago | (#24396529)

this exploit is over 10 days old now, slashdot you are wayyy to late on reporting this.

Re:"0 day?" (0)

Anonymous Coward | about 6 years ago | (#24396771)

Since the oracle codebase changes so slowly, i'm willing to bet that the exploit has been there for a decade or more. The fact that someone published it just means that Oracle can get off their asses and fix it now.

what in the world is mod_wl do? (4, Insightful)

Anonymous Coward | about 6 years ago | (#24396531)

i just tried to google mod_wl and the first page
of the results do not clearly tell me what mod_wl
even does. i do not know a single person who uses
it and i work a large ISP.

this has nothing to do with oracle's database and
i think slashdot editors really need to stop with
these silly headlines designed to get me to click
on stories. grow up! make a profit without deceit!

frankly, this post about this overflow is such
a non issue for me it is funny.

can anyone explain what in the heck mod_wl even does?

Re:what in the world is mod_wl do? (1)

Ethanol-fueled (1125189) | about 6 years ago | (#24396665)

Why do some people insist
on squeezing their posts
like this?

There is an art to formatting
one's post for effect,
but this is a web forum,
not some scrunched-up
afterthought of a
newspaper column!

Oh, wait...

Re:what in the world is mod_wl do? (0)

Anonymous Coward | about 6 years ago | (#24396705)

i am used to using pine as an email client and i
tend to hit enter before the line wraps around.

since pine does not have a word wrap feature i do
not want others to get lines that look like this
when reading email:

this is a very long line that continues on and on and right off my window.... yada yada.

basically i think it is a habit due to using a
certain sized ssh window and older tools... i want
to be able to read a certain distance and be able
to find the next line easily without getting lost.

anyway..

Re:what in the world is mod_wl do? (0)

Anonymous Coward | about 6 years ago | (#24396983)

I am sure this makes perfect sense for you but the rest of us don't use 640x480 anymore.....

Re:what in the world is mod_wl do? (0)

Anonymous Coward | about 6 years ago | (#24399771)

You might be able to set the default message format to HTML. You could use as many lines as you wish an break lines using <br />

Re:what in the world is mod_wl do? (0)

Anonymous Coward | about 6 years ago | (#24399809)

The plugin does clustering, load-balancing and reverse proxying.
It can (for example) be used to provide ssl-encryption through apache for a number of weblogic instances.

Also see: http://e-docs.bea.com/wls/docs81/plugins/apache.html

Applying Schneier's dictum (0, Insightful)

Anonymous Coward | about 6 years ago | (#24396565)

Substantial improvement in security and software quality will require vendors to take responsibility for their bugs. The most likely way to achieve this, is to force actual losses upon their customers, who will then complain effectively to the vendors.

hack my trouble ticket system (1, Funny)

magarity (164372) | about 6 years ago | (#24396621)

Sweet, I've been wondering how to hack the trouble ticket system's Oracle back end at work. Now when a deploy has issues in production that weren't seen in development, I can retroactively fix my ticket attachments so it looks like the system engineers screwed up the deploy. Muahahahahaha!!!!

A misnomer (2, Funny)

engun (1234934) | about 6 years ago | (#24396627)

The hacker thought "Oracle" already knew ;-)

It's for Weblogic, not Oracle Database (3, Informative)

Samari711 (521187) | about 6 years ago | (#24396629)

not nearly as panic inducing as I first thought, although I'm sure my program management is going to get all bent out of shape about it anyway. Bad news if you Apache with WL though.

Re:It's for Weblogic, PANIC!!!! (2, Informative)

Gunstick (312804) | about 6 years ago | (#24398379)

you should panic if it's for weblogic. Your oracle databases are not open to the Internet. But weblogic, or especially this buggy plugin in your apache, is!
That means: potentially free access to your webserver!

"Did not contact Oracle first." (3, Insightful)

InlawBiker (1124825) | about 6 years ago | (#24396863)

"Whoever published the vulnerability and matching exploit code did not contact Oracle first."

It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.

I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.

Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.

Re:"Did not contact Oracle first." (2, Insightful)

John Whitley (6067) | about 6 years ago | (#24397115)

I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.

No need for abstract belief; this is near certainty. Even "better", I've seen stuff that would curl your teeth that the vendor apparently knew about but remained quietly unpatched. That was in the toolset of a professional IT security testing company. Their stuff made Metasploit look like a Lego model of a battleship vs. the real thing. It's sobering knowing that tools exist that are the direct realization of the weakest link principle. With really well-thought out and easy to use UI, and backend code just as nice. Click, ownage, click, ownage... /shudder

Re:"Did not contact Oracle first." (1)

_Shad0w_ (127912) | about 6 years ago | (#24397291)

I once found a bug in a major SCADA platform that, from talking to someone who worked for the company that developed it, they knew about and had a fix for; their support people had instructions to only tell you about it and send it to you if you'd actually found the bug. As in found it and knew what it was (namely a memleak).

Re:"Did not contact Oracle first." (1)

TooMuchToDo (882796) | about 6 years ago | (#24397385)

That should be criminal (not proactively providing the patch to customers). Stuff connected to SCADA equipment can kill you (in lots of cases, like electrical substations and gas pipelines).

Re:"Did not contact Oracle first." (1)

_Shad0w_ (127912) | about 6 years ago | (#24398461)

In this case what it did was cause the system to fall over once a day and need rebooting; fortunately all that meant was they couldn't change the lane assignments on a conveyor belt system until it came back up again.

I come from the old school of thought that says that a SCADA system should be able to fail without adversely affecting the safety of the overall system. You lose your overview and control, but the automatic controls and safeties should continue to operate and make sure nothing really bad happens - I like having hardware based panel controls to fall back on.

Mind you software based safety seems to be the way it's going nowadays; last factory based job I worked on was using PLC based safety controls like AB's GuardPLC and GuardLogix series. And had a safety curtain that auto-reset; that resulted in quite a few people going "WTF!? What do you mean that was by design?" Especially the fitter who was stood on the shadow board trying to unjam a panel when the safety reset and the board spun round. Queue quick witted people jumping for the nice red buttons.

Re:"Did not contact Oracle first." (1)

Jeffrey Baker (6191) | about 6 years ago | (#24397185)

Reporting to the vendor is pretty much useless. They will stonewall you and then, for something as big and inertial as Oracle, the patch will come out five years later. It's much more important, and, to me, much more aligned with sound ethical principles to report the problem immediately and directly to the public. By doing so you give the users and administrators a fair chance to quantify the risks of using the product, and to try to offset those risks with countermeasures.

If you just report it to Oracle, they'll bottle it up. All those chumps paying a million dollars a year for Platinum Support 5000 Ultra will not get to hear about it until the fix is in, five years later.

Re:"Did not contact Oracle first." (0)

Anonymous Coward | about 6 years ago | (#24398053)

Think NSA.

Someone make a living out of finding information.

Re:"Did not contact Oracle first." (0)

Anonymous Coward | about 6 years ago | (#24399641)

"I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it."

No it isn't.

To disclose or not... (4, Interesting)

Fallen Kell (165468) | about 6 years ago | (#24396925)

Again, this brings up the whole debate on to disclose or not to disclose.

I seriously don't think that we would have seen any kind of information from Oracle about trying to mitigate a possible problem if this had simply been sent only to Oracle. As such, we are a little safer in the sense that at least we know of the issue, and as a result can apply the remedies both Oracle provided as well as any other solutions to help protect against this kind of attack.

Had this not gone public, it would almost definitely be another few months before we had a fix in place from Oracle, and in the mean time had been vulnerable to attack that someone has already found (which means it is likely that many people know of the flaw and may be looking to exploit it).

While some cases full disclosure may not be the best idea, this case (or any case for that matter where the exploit can be defeated with certain configuration options) it is better that we know of it immediately so we can put our own protections in place and use our own judgment as to what extra actions may need to take place (possibly including taking affected systems off-line or otherwise unavailable). We are all safer now because of this person releasing the exploit into the wild on the public internet, which forced a company to make a statement about that exploit and give immediate advice to protect against it, as opposed to sitting on that exploit, not telling anyone about it, and quietly have a patch released with the normal patch cycle.

Re:To disclose or not... (0)

Anonymous Coward | about 6 years ago | (#24399381)

"I seriously don't think that we would have seen any kind of information from Oracle about trying to mitigate a possible problem if this had simply been sent only to Oracle."

Why would you think this? Has this happened in the past? If so, then your statement holds merit. Otherwise, your statement is nothing more than a false justification.

Typically, I have seen exploits turned over to the code owners with the intention of going public after a certain time period.

I for free-for-all btw. If you found it, do what you want with it. But for you to justify this with a statement that can't be proven (either way) is pretty silly. The only thing you have proven is that you are anti-Oracle. ;)

Letting the vendor know first can be risky (4, Interesting)

erroneus (253617) | about 6 years ago | (#24397129)

Though many experts in the area make it policy to inform the vendor, some vendors respond in wildly inappropriate ways. Some simply ignore it, others will contact law enforcement authorities believing that they are being blackmailed. And yes indeed, some security conscious people have been arrested for trying to do "the right thing."

It is rare that security flaws like these are announced in this way. I find it more likely that someone attempted to contact Oracle on the matter and the message didn't get to the right eyes or ears and was discarded. Now they are simply claiming to have no knowledge of being prior informed... or maybe just as likely, they were adequately informed and they simply did nothing about it. Microsoft is well known for doing that. There have been exploitable flaws in their OSes for years that have not been patched. Ultimately, I find it more likely that they were informed and for whatever reason did not act on it.

It's best to report it to the vendor/maintainer first and give them 30 days to fix it, but even then you're probably better off remaining as anonymous as possible or someone may be knocking on your door before you know it.

Re:Letting the vendor know first can be risky (0)

Anonymous Coward | about 6 years ago | (#24398277)

And yes indeed, some security conscious people have been arrested for trying to do "the right thing."

Bullshit. Facts, please. Breaking into someone's network without permission is *not* "security research", it's hacking and it's against the law.

What? (0)

Anonymous Coward | about 6 years ago | (#24399505)

The poster was talking about reporting security vulnerabilities, not breaking into systems. You seem to have a problem with reading.

mod 0p (-1, Redundant)

Anonymous Coward | about 6 years ago | (#24398355)

most people intO a
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>