Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> The alert process
(Message started by: Pete Finnigan on Jan 21st, 2010, 11:56am)

Title: The alert process
Post by Pete Finnigan on Jan 21st, 2010, 11:56am
Hi,
Just a newbee question from a DBA that applies CPUs, but don't understand the process behind each CPU and the people behind!

In a quarterly CPU bundle, there is a lot of fixes for detected vulnerabilities in an Oracle product marked with a CVE code. What kind of people (Oracle employees or external hackers) detects vulnerabilities, and how is it reported to Oracle? Normally the reason for the CPU is vague, and the only information we can read in the matrix table that Oracle publishes are CVE number, component, protocol, etc... but no detailed description of the problem. Also, how do we now if there are exploits existing or not? I know there are a lot of Oracle exploiting tools to be searched for on the internet, but those exploits refers to _old_ known vulnerabilities. Example: CPUJan2010 is now released. But, is there any change to find more related info about, who discovered the vulnerability and is there any documented procedures to hack an Oracle system besides know exploits (it seems like there aren't enough exploits for every vulnerability published).

Tomas



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board