February 28, 2009 at 3:19 am #3484Don DonzalKeymaster
From John Sawyer’s article, “Oracle Patches Get Bad Rap”:
What I do want to point out for you infosec pros and pentesters is a great resource on hacking Oracle servers. Chris Gates has put together some awesome examples of using the Metasploit Framework’s Oracle modules over the last few months on his blog, Carnal0wnage. If you have Oracle servers in your environment or perform pentests for companies who use Oracle, take the time to walk through the examples and test out the modules. You never know when they might come in handy.
For entire story:
Keep up the good work, Chris.
February 28, 2009 at 7:05 am #22802KrisTeasonParticipant
Congrats Gates. This one’ll definitely up your reputation more. 8)
February 28, 2009 at 1:08 pm #22803AnonymousParticipant
February 28, 2009 at 3:51 pm #22804KetchupParticipant
I used to be an Oracle DBA, worse actually, Oracle Applications DBA. For those of you not familiar with Oracle Apps, it’s basically their ERP suite, CRM, Inventory and others, powered by Oracle RDBMS. It includes Apache, Tomcat, tons of JSP pages, tons of shell scripts, tons compiled java code, etc. The installation literally used to come on 50 CDs. Most people run it on at least two servers. I hate to admit it, but I have skipped patching the behemoth on more then one occasion. Here is why….
Most Oracle patches have prerequisites. Those prerequisites have their own prerequisites. By the time you figure which patch you have to start with, you have forgotten what you are patching. Once you have applied the patches, you have to figure what those patches broke, and they will break something. It’s not always evident in the hundreds of GB of code what’s broken. By the time you find the issue, you have more patches that you have apply. If you are lucky, you don’t have to go back to your backup and restore the entire monster.
And then you get into custom code that is somewhat unsupported by Oracle. If you patch something, it will break it. Why do we have custom code in Oracle? Because Oracle Apps is great if you you are making widgets. If you don’t, you need to customize. Oracle will give you a great deal on the software, even 80% off the sticker price. The customization will cost a few million $$ depending on your size.
Oh, and you can’t update Java on your machine to the latest version, because the latest version is never certified by Oracle. All the Java security issues that are so well documented, guess what, you can’t patch those. Oracle has yet to “certify” that they won’t break anything. I find their “certification” quite hilarious actually.
Test systems don’t always behave the same way as the production systems. Just because you’ve successfully patches a test system, it doesn’t mean you get to sleep shortly after patching the production system.
I can go on, but in short it’s a mess. I don’t see how Oracle can consider itself security-conscious, at least with Oracle Apps. Oracle RDMS by itself is a different story. Complexity and security are never friends, and calling this beast Complex is quite an understatement. There is an unwritten rule among very experienced Oracle Apps DBAs. You don’t patch if it ain’t broken.
I am interested in what others think about this as well. As you can see, I have some deep emotional scarring inflicted by Oracle :). What about you guys? Have you had experience with Oracle Apps? I can’t imagine that any installation will pass an Audit or a Pen Test. I’ve never worked with SAP. Does anyone know if that’s any different?
- You must be logged in to reply to this topic.