Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

The Week of Oracle Database Bugs 56

Posted by kdawson from the your-turn dept.
os2man writes "After the Month of Browser Bugs and the Month of Kernel Bugs, December will have a Week of Oracle Database Bugs. This project will release, every day for a week, a new 0-day bug specific to Oracle in order to show the current status of its [in]security. They are currently asking for new bugs, in order to extend the publication of new exploits a few more days."
This discussion has been archived. No new comments can be posted.

The Week of Oracle Database Bugs More

The Week of Oracle Database Bugs

Comments Filter:

  • Great (Score:4, Interesting)

    by Spritzer ( 950539 ) * on Tuesday November 21, 2006 @02:39PM (#16935880) Journal
    Maybe they should look at security issues with Oracle's Discoverer client as well. It's pretty sad when having "@" in your password will compromise every character that follows within your password. For example, if ODB password were Sl@shd0t! and the database to connect to were BOB, at the next login the Connect field would be filled with shd0t!@BOB. Not a huge issue, but certainly a risk if multiple people with varying permissions/responsibilities in Oracle have access to a machine with Discoverer.

  • Bug vs. Exploit... (Score:3, Interesting)

    by msimm ( 580077 ) on Tuesday November 21, 2006 @02:55PM (#16936298) Homepage
    They are talking about two different things. Its one thing to say: hey, I'm a DBA and Oracle has a lot of bugs. Its another to say: hey hackers! There are a whole bunch of unpatched 0day exploits [wikipedia.org].

    Extending the week to two would be fine if it helps motivate Oracle to patch their software *before* someone makes these more trivially exploitable.

  • Re:um yeah (Score:4, Interesting)

    by ajs ( 35943 ) <{ajs} {at} {ajs.com}> on Tuesday November 21, 2006 @02:56PM (#16936334) Homepage Journal
    It does make sense, but it's just not very smart.

    This is a group of (or singular) kiddies who want to make Oracle look bad. That's fine, and Oracle is a big company that I'm sure can take care of itself (C&D paperwork is probably burning out toner cartriges by the gross at Oracle HQ as we speak). My concern is that folks that are good at security testing, but too young to know how to direct their efforts constructively are going to destroy their fledgling careers before they get started. Many such bright kids these days assume that they'll make a name for themselves, and then the consulting bucks will roll in. Problem is that the wrong kind of press can lead to SOME work, but far less than you would have gotten by building a reputation in the industry through the quality of your work and references.

    As with security, in the job/consulting world social engineering is often a better approach than trying to pick the lock on the front-door.

  • No kidding?! (Score:2, Interesting)

    by firespade ( 1030302 ) on Tuesday November 21, 2006 @03:31PM (#16937202)
    Bugs specific to security? There are still several exploits concerning the metadata itself. And on top of that, Secunia has multiple cases of vulnerabilities concerning all versions of the Oracle Database. All the way from Database Restriction Bypassing to boundary errors leading to buffer overflows by user initiated malicious attacks. Try harder Oracle.. try harder. Anthony

  • Re:um yeah (Score:0, Interesting)

    by Anonymous Coward on Tuesday November 21, 2006 @04:26PM (#16938376)
    Bullshit. I also admin many oracle dbs and experience the same things you do. (Finding, reporting bugs, etc.)

    Where we differ, however, is I actually give a flying fuck about the quality of their software. Unlike many other apps I support, Oracle is likely to make me cringe the most and certainly plays a non-trivial role in some sleepless nights. (Whether it's because I'm worried, or because I'm patching)

    You see, oracle has been doing the same thing for many years. Rapidly developing shitty software based on some code some guy wrote 28 years ago. With the spider web of kludges, patches and patches for patches, we're in for a very bumpy ride for some time. We can't expect them to change because as far as they're concerned, they're doing just fine.

    I am opposed to that. I am for finding as many 0 days as is possible for this software so other vendors who truly write decent software will be considered. I am for oracle taking a long, deep look at their code and realizing that this stuff is better off being /dev/null'd and starting fresh with a rewrite (including backwards compatibility, where applicable). Only this time, they'll not toss security out the window, and they'll take into account some of the other lessons other software companies have learned over the last 28 years.

    Currently, oracle is pouring most of their money into: A. Support for their userbase. B. Developing more apps that can plug leaking holes on their sinking ship. C. Piling features on top of existing oracle base.

    I bet hardly any software vendor in the world pours as much people power into tech support as oracle does. If they did a rewrite with some decent coders, they might realize that the money they used to spend on techsupport is now just gravy.

  • Couldn't they have done this a year ago? (Score:3, Interesting)

    by emil ( 695 ) on Tuesday November 21, 2006 @04:29PM (#16938462)

    The final CPU for the 8.1.7.4 database release comes out in January. It's highly unlikely that anything revealed in this effort will be fixed for 8.1.7.4.

    That's an important release... it's the last one (that's supported) that will talk to Oracle 7 or early v8 databases (as a client). My company has thousands of win32 clients rolled out, and a fair number of servers supporting some critical apps (think Peoplesoft).

    8.1.7.4 was a great release. Small, not a lot of cruft. I wish it (and we) weren't hanging in the breeze. DB2 customers are lucky for their long support.

  • Discovered in our DB class (Score:3, Interesting)

    by Tawnos ( 1030370 ) on Tuesday November 21, 2006 @05:34PM (#16939718)
    Not necessarily a security bug, but it can be annoying. This comes from the project description, as a warning when trying to do natural joins for the project.
    This query:

            select ordid, lineno, orderdate
                      , descrip "Description"
                      , total
            from ord natural join item natural join product

    is evaluated incorrectly in Oracle 10g (rel. 10.2.0.1).

    Compare its output with the correct results generated by this query:

              select ordid, lineno, orderdate
                        , descrip "Description"
                        , total
              from item natural join product natural join ord

    or this:

            select ordid, lineno, orderdate
                      , descrip "Description"
                      , total
            from ord natural join (item natural join product)

    or this:

            select ordid, lineno, orderdate
                      , prodid
                      , descrip "Description"
                      , total
            from ord natural join item natural join product

    This solution:

            select ordid, lineno, orderdate
                      , descrip "Description"
                      , total
            from (ord natural join item) natural join product

    does not work either. The optimizer insists on doing a cartesian product between ORD and PRODUCT.

    This is a new bug. It does not exist in Oracle 9i, which evaluates all queries correctly.

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close