> This was covered in CERT Advisory CA-2001-18, posted > to bugtraq by aleph1 on July 17th. The posting is a > bit miss leading and has Oracle 8i Enterprise Edition > listed rather than Oracle Internet Directory (OiD). > > - Dave Lee > > In CERTs defense OiD does ship with the Enterprise > Edition, but that is kind of like listing Win2K is > vulnerable when it is an Exchange issue. As far as I understand it, Oracle Internet Directory is an LDAP adapter on top of the Oracle 8i database and will not function without it. Any vulnerability in the OID might therefore also affect the database itself, any EE edition already out there on CD or harddrive has that potential vulnerability lying dormant, waiting until the OID is enabled. The Oracle Internet Directory is not available as a seperate product, at least not anymore. So in my very humble opinion - with less than a year of Oracle experience - it is the Enterprise Edition that is vulnerable. Because in a world where a DBA might leave the default administrator passwords intact to make it easier for the next DBA that needs to work on the system, one cannot be careful enough. Same goes for upgrading and patching; if it works, why risk breaking it? OK enough rambling already :) Cya Jonathan
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 08:30:44 PDT