Thread regarding Oracle Corp. layoffs

Free Oracle data for hackers, get it while its hot!

My favorite one (if I were a hacker) is CVE-2018-3259, its the one that allows me to take over the Oracle VM remotely. That's where I get all that precious data. Delicious. Just port scan for 1521 and bingo... I am ready to rock and roll.

I think the Russians will pay 1.00 per American user with private data, I take over the VM connect to the database, create a SCOTT/TIGER account with DBA privs (This step is to get the DBA fired for being careless) and then s--- all that delicious data into my csv text file. Mrs Jone's gallbladder problem and her visa account information should earn me some quick cash.

My second favorite is CVE-2018-3299 I can mess with the Oracle text and cause Oracle to crash for a DOS. Why not execute both? Port scan 1521, take over the Oracle VM remotely, create the Scott/Tiger account with DBA privs, s--- out all the user data. Then I have options. Option one cover my tracks and sneak away. Or option two pull an "allahu akbar" and blow up the database on the way out by exploiting the text bug and cause a DOS. Option two gets me the high profile attention some hackers crave. I'd go by the hacker alias "T–dCEO" as an homage to the man who made it all possible.

So sad to watch a once great company burn in the garbage dump... ah but what do you expect when you cut good talent and replace it with whomever is cheapest.

https://www.theregister.co.uk/2018/10/16/oracle_patch_bundle/

For Database, the update addresses a total of three flaws. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication, while the third, CVE-2018-7489, would require the user to have a Rapid Home Provisioning account to execute and is considered by far the least severe of the three.

Oracle noted that all three bugs only impact the server versions of Database, user clients are not considered to be vulnerable.

Whew thank goodness. I wouldn't want my SQL server client which has no data to be compromised. Thank goodness its only the server that has all the data that is totally vulnerable to anyone to exploit this attack.

https://nvd.nist.gov/vuln/detail/CVE-2018-3259

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks of this vulnerability can result in takeover of Java VM. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

https://nvd.nist.gov/vuln/detail/CVE-2018-3299

Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2 and 12.2.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Text. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Text, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Text as well as unauthorized update, insert or delete access to some of Oracle Text accessible data. CVSS 3.0 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H).

by
| 2537 views | | 10 replies (last ) | Reply
Post ID: @OP+VGSNgTg

10 replies (most recent on top)

Absolutely, low cost, off-shore workers, mean workers who don't give a sh--. It's just a paycheck to them and they know they don't have to really do anything, they will be kept, just because of the low price.

by
| | Reply
Post ID: @4atu+VGSNgTg

"If it's a normal process to have a security hole like this in multiple versions before it is found, something is wrong at Oracle"

This what happens when you offshore your code development to a bunch of low dollar, low talent workers who neither give a s**t or have any ability to be creative or innovative. Might as well contract the Borg to write software, about the same mindset.

by
| | Reply
Post ID: @3vgz+VGSNgTg

Whew thank goodness. I wouldn't want my SQL server client which has no data to be compromised. Thank goodness its only the server that has all the data that is totally vulnerable to anyone to exploit this attack.

LOL.... Oracle...... glad the clients are safe!!

by
| | Reply
Post ID: @3nop+VGSNgTg

Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c.

Holy sh--, this has been around since forever (CVSS 3.0 Base Score 9.8 ). Wonder what else is out there.

If it's a normal process to have a security hole like this in multiple versions before it is found, something is wrong at Oracle.

by
| | Reply
Post ID: @3app+VGSNgTg

What's sad is that we don't even apply these patches to many of our own cloud environments. We know our customers are at risk, but mangment just doesn't care. The only cloud environments we bother to patch these days is OCI (AKA bare metal). Everyone else can just get hacked, LE already has their money and doesn't give a hoot what happens to them.

by
| | Reply
Post ID: @1lrr+VGSNgTg

No worries, Oracle Autonomous would fix this while DBAs are sleeping.

by
| | Reply
Post ID: @1dsg+VGSNgTg

Yes, this. That is why security bug descriptions are so vague. When you see, “Problem with (some component)”, in a patch description, obfuscation is the whole idea.

by
| | Reply
Post ID: @1uup+VGSNgTg

libssh bug more like "oh SSH…"

Once admins get the Oracle patches in place, they will want to take a close look at the write-up for CVE-2018-10933, an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a "SSH2_MSG_USERAUTH_SUCCESS" message when it expects a "SSH2_MSG_USERAUTH_REQUEST" message. That means any miscreant can log in without a password. As you can imagine, this is a very bad thing.

Better patch that quick! I wonder if every Oracle DBA is staying up late at night, tonight...

by
| | Reply
Post ID: @1gdv+VGSNgTg

libssh bug more like "oh SSH…"

Once admins get the Oracle patches in place, they will want to take a close look at the write-up for CVE-2018-10933, an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a "SSH2_MSG_USERAUTH_SUCCESS" message when it expects a "SSH2_MSG_USERAUTH_REQUEST" message. That means any miscreant can log in without a password. As you can imagine, this is a very bad thing.

Totally normal. Standard part of what to expect with a CVE patch. Nothing to see here move along...

by
| | Reply
Post ID: @1ugk+VGSNgTg

Thinking CVEs are somehow earth shattering hacking potential is akin to buying stock based on the "tip you got on the front page of the morning paper. And while it's apparent this poster has a problem with Oracle, there's as many if not more CVEs for just about any firm in the business of developing software.

As an actual hacker, what's interesting to me isn't CVEs but what hasn't been disclosed. CVEs are part of a responsible process of analyzing reported vulnerabilities, developing patches, and publishing it to the user community. Its companies that don't engage in this process, refusing to address critical vulnerabilities, that make black hats far more profitable.

by
| | Reply
Post ID: @aea+VGSNgTg

Post a reply

: