Oracle 9i Isn't Quite Unbreakable

BillTheKatt writes: "The formerly (as in a couple of weeks) "unbreakable" Oracle 9i has been found to be vulnerable to a Denial Of Service bug. ... Thanks [H]ardOCP for the link to the Article At SiliconValley.com. For more information see the official notice on SecurityFocus. More proof that Microsoft does not hold a monopoly on bugs. And of course a black eye to Mr. Larry 'Big Mouth' Ellison. I'm still waiting for my network computer, Larry."

It's a Win-Win for Larry

[Greyfox]

Shooting your mouth off like that. You either get good publicity after announcing that the skript kiddies were unable to own your server or you get free security testing.

Another Oracle problem not mentioned in post

[krogoth]

I can understand readers not reading the articles all the time, but shouldn't the editors look at it in case the submitter wasn't completely acurate? The inaccuracy is that Oracle 9i also has a buffer overflow that can allow the attacker to gain control of the system. The DoS is another issue that took eEye 4 hours to find:

Maiffret was more critical of Oracle. At the Comdex computer show last month, Oracle CEO Larry Ellison dared hackers to try to break into his company's software. Maiffret, a 21-year-old reformed hacker who has testified before Congress about computer security, said it took eEye programmers four hours to identify weaknesses in Oracle's programs that would have exposed users to a problem known as "denial of service" attack.

The buffer-overflow flaw in Oracle's 9i application server was found by David Litchfield of Next Generation Security Software, based in Surrey in the United Kingdom.

So what?

[jfeasel]

Why would any admin put their database server out on the open internet, exposed to this anyway? Databases should be kept behind firewalls, where it's safe.

Re:Well, we all knew...

[ct]

Exposure here one /. aside, watch for just how much press this, as well as the recent XP hole, get's in the "mainstream" mailout periodical press.

As a SysaAdmin (who never explicitly subscribed) to any of the 3 CMP/techweb publications I now receive weekly/biweekly/monthly or the electronic C|net shite I'm now eternally a "customer" of, it's pretty obvious who pays the bills for the (largely) waste of bandwidth reviews they provide. Wake up... they aren't going to bite they hands that feeds them - particularly MS or Oracle.

While you/I/every other jaded IT employee with half a brain can be critical of this two faced advertising driven BS, the individual with a tight grip on the purse strings for IT expenditures is getting the same mailings & treating them as dogma - because he doesn't know/care that he's being fed crap with a fancy ribbon around it.

Until the push-periodicals are no longer driven by big bucks advertising contracts & therefor biased coverage of these products, IT "managers" will have a steady supply of bullshit benchmarks & reviews IN WRITING to reinforce & perpetuate their decision making process.

-ct

Nobody in their right mind.....

[Raindeer]

Nobody in their right mind declares software to be unbreakable. It is just like in science, even after the closest scrutiny all you can say about a theory is: "Not YET disproven". Even after the closest scrutiny you'll say about the program: "not yet broken". Because no matter how much review you did, there could be someone smarter then you.

Oracle9i Database vs. Oracle9i Application Server

[briansmith]

Some people are confusing the Oracle9i Database with the Oracle9i Application Server. I agree that the naming is confusingly similar but they are two very different products. The article refers to Oracle9i Application Server, not the database.

Oracle9i Application Server is basically Apache 1.3 bundled with Orion Application Server and and embedded (yes, embedded!) Oracle database server used for data caching. There are a variety of add-ons included as well, depending on how many tens of thousands of dollars (per processor) one wants to spend.

Also, Larry's term "unbreakable" refers not just to security issues but also availability and scaleability.

Re:The Distinction is Very Important

[Khalid]

>face it, Apache was never designed to handle
>mission-critical, Enterprise-level applications.
>It's great for serving web-pages out of your
>dorm-room, but for a $$$ piece of software like
>Oracle 9i, I don't know.

>you are never going to be able to fully vet a
>piece of software like Apache that was developed
>by non-professionals

Why are you spreading fud like this ? what is your hidden agenda ?

Many professional programmers particularly from IBM and SUN participate to the Apache project, plus, IIS has been developed by so called professionals, well sorry, it's not particularly known for it's robustness.

Please check out your facts before posting uninformed posts, or stop spreading fud.

Monopoly on bugs

[tmark]

More proof that Microsoft does not hold a monopoly on bugs.

Oh, the self-righteous smarniness of chauvinists everywhere. If we needed more proof that Microsoft does not hold a monopoly on bugs, one only need look at any major open-sourced project. The Changelog for the Linux kernel, for instance, documents beaucoup bugs that users were living with on their OS (forget about their DB, which as someone else pointed out is most likely stashed away behind a firewall anyways). Why does such bugginess there not bear the same level of ridicule ?

Nice fact-checking, Timothy

[hatless]

1. It's a buffer overflow in affecting the 9i Application Server--specifically, a PL/SQL Apache module--and not the database. Still a Bad Thing, but not the same thing.
   
2. The crack regarding "still waiting for [your] Network Computer" is pretty dopey. Ellison's NIC Company has been shipping them going on two years now.

You'd think they'd be a big hit with the Slashdot set seeing as they boot Linux with X off a CD, and have Ethernet, USB, a modem and VGA support built in, all for $200. I guess lame jokes predicated on them not existing are more fun.