Slashdot Mirror
Emergency Workaround For Oracle 0-Day
Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.
I sent the email to 0racle. Too much l33tness, sorry.
Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?
This would seem to be a pretty decent answer to the previous thread (How do geeks get exercise).
"Oracle: can't break it; can't break in"
In post Patriot Act America, the library books scan you.
This exploit affects the Weblogic product. Oracle only acquired that a few months ago.
It's got squat to do with the DB product.
For christ's sake. At least link to the fucking Oracle page.
If I wanted to read ZDNet, I'd just go to fucking ZDNet.
Maybe not
I would have thought that an exploit like this would be worth a huge amount of money ... For Oracle, but now for the great pool of unwashed out there.
It strikes me that if Oracle (and other HUGE software vendors) were to offer substantial cash incentives to find holes as gaping as this one obviously is, that the exploit would have been reported directly to Oracle. By substantial i mean in excess of 100,000 euros. (I would have said US dollars, but that currency isn't worth much any more!)
i just tried to google mod_wl and the first page
of the results do not clearly tell me what mod_wl
even does. i do not know a single person who uses
it and i work a large ISP.
this has nothing to do with oracle's database and
i think slashdot editors really need to stop with
these silly headlines designed to get me to click
on stories. grow up! make a profit without deceit!
frankly, this post about this overflow is such
a non issue for me it is funny.
can anyone explain what in the heck mod_wl even does?
Not that TFA says anything about whether C or C++ are actually involved, but:
The C/C++ feature that the compiler has no idea of the size of an array claims another example of misuse.
The lack of array size information is a feature of C/C++, and a well-known one at that. If you don't know how to deal with it, you shouldn't be using the language, much less talking about it.
C++ does know the size of arrays. That's why you call call delete [] myArray; without specifying the size of the array.
What C++ doesn't do is test if the index is out of bounds every time you access the array. It makes it faster but you should remember to put the test in if the index isn't guaranteed to be correct.
And Princess Diana is a victim of cars lack of a 30 MPH speed cap.
Can I watch you insert and sort and group 45000 rows of data? That's gotta be a sight to behold.
I seriously don't think that we would have seen any kind of information from Oracle about trying to mitigate a possible problem if this had simply been sent only to Oracle. As such, we are a little safer in the sense that at least we know of the issue, and as a result can apply the remedies both Oracle provided as well as any other solutions to help protect against this kind of attack.
Had this not gone public, it would almost definitely be another few months before we had a fix in place from Oracle, and in the mean time had been vulnerable to attack that someone has already found (which means it is likely that many people know of the flaw and may be looking to exploit it).
While some cases full disclosure may not be the best idea, this case (or any case for that matter where the exploit can be defeated with certain configuration options) it is better that we know of it immediately so we can put our own protections in place and use our own judgment as to what extra actions may need to take place (possibly including taking affected systems off-line or otherwise unavailable). We are all safer now because of this person releasing the exploit into the wild on the public internet, which forced a company to make a statement about that exploit and give immediate advice to protect against it, as opposed to sitting on that exploit, not telling anyone about it, and quietly have a patch released with the normal patch cycle.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
What's love got to do with it? In fact, if you go for money, you are probably more likely to find a good std::vector. Sorry, old joke. Couldn't resist.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
One man's unrefined ruffianity is another man's unconscious vernacular.
Moving to a university research lab after five years in IT at a paper mill in East Bumville, I really had to make a conscious effort to unlearn the conversational vernacular that I had picked up over the last few years.
Oh, and I believe the correct expression is "Do you kiss your mother with that mouth?"
SQL: >select * from pages(start=1,end=1222) order by name asc
/usr/bin >
[command executing...]
[timeout ID-10-T - CPU has entered sleep mode]
today is spelling optional day.
Though many experts in the area make it policy to inform the vendor, some vendors respond in wildly inappropriate ways. Some simply ignore it, others will contact law enforcement authorities believing that they are being blackmailed. And yes indeed, some security conscious people have been arrested for trying to do "the right thing."
It is rare that security flaws like these are announced in this way. I find it more likely that someone attempted to contact Oracle on the matter and the message didn't get to the right eyes or ears and was discarded. Now they are simply claiming to have no knowledge of being prior informed... or maybe just as likely, they were adequately informed and they simply did nothing about it. Microsoft is well known for doing that. There have been exploitable flaws in their OSes for years that have not been patched. Ultimately, I find it more likely that they were informed and for whatever reason did not act on it.
It's best to report it to the vendor/maintainer first and give them 30 days to fix it, but even then you're probably better off remaining as anonymous as possible or someone may be knocking on your door before you know it.
The thread is talking about arrays, and you mention std::list. Right, C++ standard library golden rule #1: always use std::vector, unless you have a really, REALLY, REALLY good reason to use something else. See also one of the other child posts.
std::vector is the array replacement. It has good random access speed. It is guaranteed to use contiguous memory. If it's not fast enough that's probably because you are allocating memory because you are storing by value and the STL makes a lot of copies of stored values internally in many operations(see other child post) - and that can be solved without defaulting to pointers by using a custom allocator.
If any of this seems too complex to you, you shouldn't have been bothering with performance-critical C++ yet, and learning more about the language and libraries first. I recommend the book "Efficient C++" by Dov Bulka and David Mayhew as an introduction, and "Effective STL" by Scott Meyers for more on the standard library.
Did anyone actually drill through the article to the fix?
The exploit is in BEA WebLogic server, not in the Oracle database. BEA is a web application server company that Oracle acquired about 2 months ago.