Posted by: Shayna Garlick
Managing an Oracle shop, Oracle applications, Oracle database administration, Oracle development
Oracle scored a 10 for security last week.
Unfortunately, this wasn’t one of those “best-you-can-get” 10s. It was a 10 on the Common Vulnerability Scoring System (CVSS) scale, a system for rating and assessing the impact of system vulnerabilities – - and Oracle had a big one.
This vulnerability, which has been described as “severe” and “dangerous,” was found on Oracle’s new WebLogic server (formally known as BEA WebLogic).
In his Security Alert, Oracle’s Eric Maurice says that one can exploit this vulnerability without authentication (such as a username and password), but “it can result in compromising the confidentiality, integrity, and availability of the targeted system.”
Whoever made the vulnerability public did not contact Oracle beforehand, Maurice said.
It’s been a year since we last discussed your database security bloopers, but it’s probably safe to say that this is one of the biggest ones since then. The WebLogic vulnerability marks the first time since January 2005 that Oracle has issued an out-of-cycle patch or security alert for one of its products.
However, whether this affects you or not, you’ve probably had your own share of security nightmares since last July – - which is why it’s time for “Oracle security bloopers III.” Take a look back at Oracle security bloopers II and More security horror stories, where readers wrote in about everything from SYS password misunderstandings to fraud-committing DBAs.
Especially with all the Oracle acquisitions, integrations and new products in the last year, security issues are inevitable. What Oracle security horror stories do you have? Send your stories (these can be anonymous) to me at firstname.lastname@example.org or leave them in the comment fields below and share them with the Eye on Oracle Community!