Web Site Consolidates Oracle
Security Alerts
Here
is a web site that offers explanations and possible fixes to Oracle
security alerts:
http://www.appsecinc.com/cgi-bin/show_policy_list.pl?app_type=2&category=6
This
handy site has rolled Oracle security Alerts into one easy page.
The areas covered on this site include:
Pen Test - Misconfigurations
Pen Test - Denial of Services
Pen Test - Vulnerabilities
Pen Test - Password Attacks
Audit - Identification/Password
Contraol
Audit - Access Control
Audit - Application Integrity
Audit - OS Integrity
By
choosing one of the above categories, an individual gets a
comprehensive list of error messages. Once one chooses the
error message he/she is receiving, the site, Application Security,
Inc, provides the name of the error, the security risk level, a
summary of the error, an overview of the security alert including
area of vulnerability, Oracle versions affected, and fix information
regarding the alert.
For
example, when clicking on CREATE_MVIEW_REPGROUP overflow (Verify
version) under the Pen Test - Vunerabilities tab, a
segment of the overview that is displayed is as follows:
This vulnerability can be exploited by members of the roles
EXECUTE_CATALOG_ROLE and SYSDBA or by users granted execute
permissions on these vulnerable packages.
This security issue allows a non-privileged user to elevate his or
her privileges to DBA. It can also be exploited to crash the
database causing a DOS (Denial of Service) condition for the Oracle
database.
|
