Forgot your password?
typodupeerror
Security Businesses Databases Oracle Programming Software IT

Emergency Workaround For Oracle 0-Day 152

Posted by kdawson
from the maybe-somebody-shorted-the-stock dept.
Almost Live writes "Oracle has released an out-of-cycle alert to offer mitigation for a zero-day exploit that's been posted on the Internet. The emergency workaround addresses an unpatched remote buffer overflow that's remotely exploitable without the need for a username and password, and can result in compromising the confidentiality, integrity, and availability of the targeted system." Whoever published the vulnerability and matching exploit code did not contact Oracle first.
This discussion has been archived. No new comments can be posted.

Emergency Workaround For Oracle 0-Day

Comments Filter:
  • by Anonymous Coward on Tuesday July 29, 2008 @11:06PM (#24396159)

    I sent the email to 0racle. Too much l33tness, sorry.

  • Haha! (Score:5, Informative)

    by Anonymous Coward on Tuesday July 29, 2008 @11:07PM (#24396177)

    Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?

    • I remember coming in every other morning in the office to restart our oracle concurrent manager servers because they had mysteriously gone haywire somewhere between their backend and apache interface.

      I remember teams of expensive consultants, weeks without sleep and 24/hr oncall in order to restart crashed IStore servers

      this was when i worked for a certain popular bed company. i also remember our oracle DBA's primary solution being to "reboot all the oracle servers" when something was wrong. his "le
      • by hanshotfirst (851936) on Wednesday July 30, 2008 @08:39AM (#24399811)
        Your DBA's didn't know what they were doing. Was this an Oracle sales rep or a technical consultant? They were clueless too - there is NO reason to run the Oracle database in that way. I can't speak to the Istore or concurrent manager stuff, but if their lack of knowledge on the core database product was this bad, I can only imagine...
      • by technomom (444378) on Wednesday July 30, 2008 @09:20AM (#24400363)

        Did anyone actually drill through the article to the fix?

        The exploit is in BEA WebLogic server, not in the Oracle database. BEA is a web application server company that Oracle acquired about 2 months ago.

      • by Gr8Apes (679165)

        Wow - run from that job. Seriously, it sounds like no one there had a clue.

        Oracle may suck, but it does run relatively securely (as does any other DB) if you follow proper procedures.

        We had hot-failover oracle DB servers running in a 5 9s configuration for 3 years without any unscheduled downtime. There was no need to patch the DB because it was fully firewalled from everything except the application servers, and we could patch those in sequence without bringing down the entire system, or customers even rea

    • by tha_mink (518151)

      Anyone else remember Oracle's ad campaign claiming to be "unbreakable"?

      I'm constantly amazed that companies (and fan boyz) still have the stones to make that claim about anything. Same with Mac..."It Just Works"...

  • nice timing (Score:5, Funny)

    by Anonymous Coward on Tuesday July 29, 2008 @11:11PM (#24396227)

    This would seem to be a pretty decent answer to the previous thread (How do geeks get exercise).

  • by stimpleton (732392) on Tuesday July 29, 2008 @11:11PM (#24396239)

    "Oracle: can't break it; can't break in"
  • ...pen and paper.
  • Worthless (Score:5, Funny)

    by jlarocco (851450) on Tuesday July 29, 2008 @11:21PM (#24396335) Homepage

    For christ's sake. At least link to the fucking Oracle page [oracle.com].

    If I wanted to read ZDNet, I'd just go to fucking ZDNet.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Lose the language, you unrefined ruffian. Do you talk to your mother with that mouth? Do you think it makes your point (or lack thereof) stronger? Got masculinity issues?

      • by Capt. Skinny (969540) on Wednesday July 30, 2008 @12:49AM (#24397061)
        One man's unrefined ruffianity is another man's unconscious vernacular.

        Moving to a university research lab after five years in IT at a paper mill in East Bumville, I really had to make a conscious effort to unlearn the conversational vernacular that I had picked up over the last few years.

        Oh, and I believe the correct expression is "Do you kiss your mother with that mouth?"
      • Pull your skirt up. You're mumbling.
        • Pull your skirt up. You're mumbling.

          You can see the lips moving, but you can't hear what they're saying?

          I thought that was more of a problem with tights than with skirts...

      • by Abcd1234 (188840)

        Do you talk to your mother with that mouth?

        Sure do!

        Do you think it makes your point (or lack thereof) stronger?

        It can. In fact, that's the whole point of profanity: to create a strong emotional impact, in order to better convey the feelings of the speaker. Of course, one must be sensitive to context, but it's certainly not out of place on Slashdot.

        Got masculinity issues?

        Stereotype much? Some women I know swear like sailors... are you saying they, too, long to be more masculine?

        • Stereotype much? Some women I know swear like sailors...

          Damn it, now I have to get my irony meter recalibrated. You just pegged it.

          • by Abcd1234 (188840)

            Ha ha, touche. Though, in my defense, that's a cliche base on a stereotype, used to convey an idea, and not meant to be a stereotype in and of itself.

    • It could of been a standard kdawson article were we were given a link to a blog which linked to the zdnet or more likly wired article.
    • "For christ's sake. At least link to the fucking Oracle page. "

      In Soviet America, Oracle fucks you.

  • by SlashWombat (1227578) on Tuesday July 29, 2008 @11:38PM (#24396475)
    I would have thought that an exploit like this would be worth a huge amount of money ... For Oracle, but now for the great pool of unwashed out there.

    It strikes me that if Oracle (and other HUGE software vendors) were to offer substantial cash incentives to find holes as gaping as this one obviously is, that the exploit would have been reported directly to Oracle. By substantial i mean in excess of 100,000 euros. (I would have said US dollars, but that currency isn't worth much any more!)
    • The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these. The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.
      • by rubycodez (864176) on Wednesday July 30, 2008 @01:16AM (#24397223)

        this is an article about an exploit in the BEA Weblogic J2EE Server, which until very recently had nothing to do with Oracle (the company) at all nor Oracle (the DBMS)

        I can't believe all the tards here going off about Oracle's DBMS code base.

        • I don't care what label they put on it: it's still unsafe native code garbage. You will note from the exploit and discussion that the problem lies in mod_wl.
          • One man's garbage is apparently another man's paycheck. Some people's jobs are based around writing unsafe native code (be it C, C++, or assembler), because nothing else is fast enough.
          • Re: (Score:3, Insightful)

            by X0563511 (793323)

            So what do you think your interpreter is made of? Somewhere, "unsafe" native code has to run.

            • Re: (Score:3, Interesting)

              by Abcd1234 (188840)

              Wow, way to completely miss the point. So, let me explain: if I go and build an application using a "safe" language on top of a VM, I'm building on a codebase that's had millions upon millions of hours of real-world testing. Moreover, that VM, being one single piece of code, can easily be audited for security issues, buffer overflows, etc. None of this can be said of an application I build from scratch on top of an "unsafe" language.

              • Re: (Score:2, Insightful)

                by clone53421 (1310749)

                if I go and build an application using overhead on top of more overhead, I'm building on a codebase that's had millions upon millions of hours of real-world testing. Moreover, that overhead, being one single piece of code, can easily be audited for security issues, buffer overflows, etc. None of this can be said of an application I build from scratch on top of an "unsafe" language.

                No, but it'll have less overhead. I wonder if they were concerned about performance when they designed this?

                Seriously, though: I'm not saying the application design you described doesn't have its place. In fact it's an excellent way to avoid these sort of problems if you're willing to sacrifice some flexibility and speed. In a high-performance database, though, every little bit is critical. Yes, they must hire top-notch programmers to avoid mistakes like this, but isn't that why the software package costs s

                • by Abcd1234 (188840)

                  No, but it'll have less overhead. I wonder if they were concerned about performance when they designed this?

                  Congratulations, you're arguing against a point I never made. I never once claimed that switching to a safer language didn't have it's tradeoffs (all such choices do). But that choice *does* bring additional safety, contrary to what the GP would have you believe.

                  • what the GP would have you believe

                    ...was that someone, somewhere, has to use so-called "unsafe native code garbage", if only to write the interpreter (compiler, more accurately) that allows you the additional level of safety given by the safer language. Thus, you can't simply make a blanket statement of "nobody should use it" (because some situations require having the extra edge it gives: which was precisely my point, and his too). Maybe you just misunderstood his point.

                    • by Abcd1234 (188840)

                      Is it fair to say we agree that morons shouldn't be producing software?

                      I think you're right, actually. :)

        • this is an article about an exploit in the BEA Weblogic J2EE Server, which until very recently had nothing to do with Oracle (the company)

          If the software sucks so much, maybe they shouldn't have bought it.

          (Note to those with a high input impedance, the above is called hyperbole. I don't know a thing about BEA WebLogic J2EE server, other than that I'm sure it's expensive. The point is that when a company purchases another company, they're taking on obligations with it. This is Oracle Inc's problem.)

          (I agree that clarifying that this isn't Oracle-the-product in The Summary would have been a good thing.)

      • Re: (Score:2, Insightful)

        by enosys (705759)

        The fact that Oracle has tens of thousands of employees points to the fact that Oracle does, in fact, offer a substantial cash incentive for finding bugs like these.

        Do you mean how they pay employees and some of those employees are involved in testing and debugging? That's not the same as paying for vulnerabilities. Do those employees get a bonus for finding vulnerabilities? What about if someone who is not an employee finds a vulnerability?

        The problem is not the money, the problem is the architecture. As long as things like Oracle are written in a massive jumble of C and other low-level, unsafe languages, they will be crawling with bugs. All the money in the world isn't going to get you to a state of zero remotely exploitable flaws.

        True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle.

        • "True, but if people got paid for reporting vulnerabilities they would be more inclined to report them to Oracle."

          Actually, I think it would make security researchers (white hat) and 'security researchers' (black hat) far more likely to not contact Oracle with full details as they may have in the past, and instead tell Oracle "we've found a vulnerability. For $100,000 we will tell you what it is. For $0 we will tell... other ...interested parties." ( where other interested parties may be baddies or the pu

      • C and other low-level, unsafe languages

        Unsafe? That's like saying I-beams and granite are unsafe building materials because it's possible to build a structure that collapses... if that concept was applied to construction, architects would be using pre-fabbed rectangular rooms marked "This side up" and "Do not stack over 3 high".

  • by Anonymous Coward

    Some Oracle That Is !!

  • "0 day?" (Score:1, Funny)

    by Anonymous Coward

    this exploit is over 10 days old now, slashdot you are wayyy to late on reporting this.

  • by Anonymous Coward on Tuesday July 29, 2008 @11:44PM (#24396531)

    i just tried to google mod_wl and the first page
    of the results do not clearly tell me what mod_wl
    even does. i do not know a single person who uses
    it and i work a large ISP.

    this has nothing to do with oracle's database and
    i think slashdot editors really need to stop with
    these silly headlines designed to get me to click
    on stories. grow up! make a profit without deceit!

    frankly, this post about this overflow is such
    a non issue for me it is funny.

    can anyone explain what in the heck mod_wl even does?

    • Why do some people insist
      on squeezing their posts
      like this?

      There is an art to formatting
      one's post for effect,
      but this is a web forum,
      not some scrunched-up
      afterthought of a
      newspaper column!

      Oh, wait...
    • by vhogemann (797994) <victor&hogemann,com> on Wednesday July 30, 2008 @09:14AM (#24400275) Homepage

      It's a module that implements a communication protocol, this protocol enables features that are useful when dealing with clusters, such as load balancing, server affinity (user with an active session always hits the same server), better integration with caches and reverse-proxies, etc...

    • mod_wl is a WebLogic proxy module for Apache. A good exposed WebLogic implementation on the web will use Apache to front-end and limit the direct exposure of WebLogic as much as possible, such as by using this module. It also allows for the use of WebLogic clusters, etc. to provide fault tolerance.

      And yes, this is really a BEA issue, which is of no surprise. Frankly, issues like this have existed for years in the world of Microsoft IIS. Why BEA would allow something as trivial as this sounds is what
  • Sweet, I've been wondering how to hack the trouble ticket system's Oracle back end at work. Now when a deploy has issues in production that weren't seen in development, I can retroactively fix my ticket attachments so it looks like the system engineers screwed up the deploy. Muahahahahaha!!!!

  • A misnomer (Score:2, Funny)

    by engun (1234934)
    The hacker thought "Oracle" already knew ;-)
  • by Samari711 (521187) on Tuesday July 29, 2008 @11:58PM (#24396629)
    not nearly as panic inducing as I first thought, although I'm sure my program management is going to get all bent out of shape about it anyway. Bad news if you Apache with WL though.
    • you should panic if it's for weblogic. Your oracle databases are not open to the Internet. But weblogic, or especially this buggy plugin in your apache, is!
      That means: potentially free access to your webserver!

  • by InlawBiker (1124825) on Wednesday July 30, 2008 @12:25AM (#24396863)

    "Whoever published the vulnerability and matching exploit code did not contact Oracle first."

    It's interesting to me that this is a tag in the OP. I realize it's part of the Hacker's Code of Ethics to report exploits to vendors and I fully agree with it. For the most part it's people pushing software to its limits that find the bugs. BUT - the more business is done on the Internet the more valuable exploits become.

    I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.

    Reporting to vendors is the right thing to do, but if there's one thing I've learned in my life it's that when money and ethics collide money almost always wins.

    • Re: (Score:3, Insightful)

      by John Whitley (6067)

      I am under the belief that somewhere out there, black-hat organizations have some really scary databases of exploits that have never been reported to vendors.

      No need for abstract belief; this is near certainty. Even "better", I've seen stuff that would curl your teeth that the vendor apparently knew about but remained quietly unpatched. That was in the toolset of a professional IT security testing company. Their stuff made Metasploit look like a Lego model of a battleship vs. the real thing. It's sobering knowing that tools exist that are the direct realization of the weakest link principle. With really well-thought out and easy to use UI, and backend code

      • by _Shad0w_ (127912)

        I once found a bug in a major SCADA platform that, from talking to someone who worked for the company that developed it, they knew about and had a fix for; their support people had instructions to only tell you about it and send it to you if you'd actually found the bug. As in found it and knew what it was (namely a memleak).

        • That should be criminal (not proactively providing the patch to customers). Stuff connected to SCADA equipment can kill you (in lots of cases, like electrical substations and gas pipelines).
          • by _Shad0w_ (127912)

            In this case what it did was cause the system to fall over once a day and need rebooting; fortunately all that meant was they couldn't change the lane assignments on a conveyor belt system until it came back up again.

            I come from the old school of thought that says that a SCADA system should be able to fail without adversely affecting the safety of the overall system. You lose your overview and control, but the automatic controls and safeties should continue to operate and make sure nothing really bad happe

    • Reporting to the vendor is pretty much useless. They will stonewall you and then, for something as big and inertial as Oracle, the patch will come out five years later. It's much more important, and, to me, much more aligned with sound ethical principles to report the problem immediately and directly to the public. By doing so you give the users and administrators a fair chance to quantify the risks of using the product, and to try to offset those risks with countermeasures.

      If you just report it to Oracl

  • by Fallen Kell (165468) on Wednesday July 30, 2008 @12:33AM (#24396925)
    Again, this brings up the whole debate on to disclose or not to disclose.

    I seriously don't think that we would have seen any kind of information from Oracle about trying to mitigate a possible problem if this had simply been sent only to Oracle. As such, we are a little safer in the sense that at least we know of the issue, and as a result can apply the remedies both Oracle provided as well as any other solutions to help protect against this kind of attack.

    Had this not gone public, it would almost definitely be another few months before we had a fix in place from Oracle, and in the mean time had been vulnerable to attack that someone has already found (which means it is likely that many people know of the flaw and may be looking to exploit it).

    While some cases full disclosure may not be the best idea, this case (or any case for that matter where the exploit can be defeated with certain configuration options) it is better that we know of it immediately so we can put our own protections in place and use our own judgment as to what extra actions may need to take place (possibly including taking affected systems off-line or otherwise unavailable). We are all safer now because of this person releasing the exploit into the wild on the public internet, which forced a company to make a statement about that exploit and give immediate advice to protect against it, as opposed to sitting on that exploit, not telling anyone about it, and quietly have a patch released with the normal patch cycle.

  • by erroneus (253617) on Wednesday July 30, 2008 @01:03AM (#24397129) Homepage

    Though many experts in the area make it policy to inform the vendor, some vendors respond in wildly inappropriate ways. Some simply ignore it, others will contact law enforcement authorities believing that they are being blackmailed. And yes indeed, some security conscious people have been arrested for trying to do "the right thing."

    It is rare that security flaws like these are announced in this way. I find it more likely that someone attempted to contact Oracle on the matter and the message didn't get to the right eyes or ears and was discarded. Now they are simply claiming to have no knowledge of being prior informed... or maybe just as likely, they were adequately informed and they simply did nothing about it. Microsoft is well known for doing that. There have been exploitable flaws in their OSes for years that have not been patched. Ultimately, I find it more likely that they were informed and for whatever reason did not act on it.

    It's best to report it to the vendor/maintainer first and give them 30 days to fix it, but even then you're probably better off remaining as anonymous as possible or someone may be knocking on your door before you know it.

    • Though many experts in the area make it policy to inform the vendor, some vendors respond in wildly inappropriate ways. Some simply ignore it, others will contact law enforcement authorities believing that they are being blackmailed. And yes indeed, some security conscious people have been arrested for trying to do "the right thing."

      I'm surprised this bug wasn't handled through the Zero Day Initiative [zerodayinitiative.com]. The researcher gets paid, TippingPoint runs interference on any legal bullying, responsible disclosure ha

This login session: $13.76, but for you $11.88.

Working...