We opened a tar with oracle. Ray Stell wrote: > > I hadn't seen this text, where did you get it? > They still have not responded to Doc ID: 189174.995 > > On Thu, Feb 14, 2002 at 01:26:57PM -0800, Joan Hsieh wrote: > > Hello, > > > > This is what oracle responsed; > > > > 1. EM does not use SNMP at all for its own functionality -- therefore > > EM > > proper is not affected by these findings. > > > > 2. The EM agent can be optionally used as an SNMP subagent that > > services > > the public and Oracle-specific database MIBs. > > > > 3. Intensive testing on this vulnerability has determined that there > > is > > minimal > > risk involved to EM users. EM does not require SNMP out-of-box -- use > > of > > SNMP with the agent is optional. The worst case scenario is a denial > > of > > service attack against the Agent, resulting in an Agent core dump. > > This > > risk is > > only apparent when the Agent is configured to use SNMP. > > > > Please note that the Agent installation is typically behind a > > firewall > > and the Agent does not listen > > to Internet traffic, further reducing the likelihood of external > > tampering. > > Additionally, there does not seem to be any potential for > > unauthorized > > privilege access, any capability to run external code, or an affect > > on > > other services on the node. > > > > Oracle will be releasing a formal Oracle Security Alert this week > > with > > information regarding patching, backporting, etc. > > > > Ray Stell wrote: > > > > > > Dick, does this mean that you have firsthand knowledge that > > > the oracle's snmp code is free from the underlying vulnerabilities? > > > There was no mention of Oracle in the advisory. This could mean > > > that they did not respond or they are not vulnerable. > > > > > > I posted to the Oracle Networking Technical Forum yesterday on this > > > issue, but there has been no Oracle Corp response. You can search > > > for SNMP to follow their response. > > > > > > Joan, Dick is certainly correct here with respect to the the system snmp > > > agent. The sysadmins need to address this by either patching or disabling > > > snmpd. However, unless Oracle confirms they did not use the old flawed code, > > > I don't see any reason to assume their product is not vulnerable. Until > > > they do, I will: > > > > > > 1) be nervous, > > > 2) bug oracle corp, > > > 3) confirm ip filter rules, > > > 4) study dbsnmp > > > > > > On Thu, Feb 14, 2002 at 09:53:37AM -0800, [EMAIL PROTECTED] wrote: > > > > Joan, > > > > > > > > The Oracle intelligent agent which uses dbsnmp is not the problem here. >The > > > > real problem is the snmp agent that is running on the computer and owned by > > > > root. Therefore your SA needs to do something, not you. > > > > > > > > Dick Goulet > > > > > > > > ____________________Reply Separator____________________ > > > > Author: Joan Hsieh <[EMAIL PROTECTED]> > > > > Date: 2/14/2002 7:48 AM > > > > > > > > Hi Ray, > > > > > > > > We use dbsnmp on the production server. How it will affect us? Our > > > > system people sent us the same article to us and very concerned the > > > > security. > > > > > > > > Joan > > > > > > > > Ray Stell wrote: > > > > > > > > > > Oracle does not seem to be listed, but you got to wonder what code > > > > > they based their snmp stuff on. You may want to nudge you sysadmin > > > > > in the ribs, also. > > > > > > > > > > ----- Forwarded message from The SANS Institute <[EMAIL PROTECTED]> ----- > > > > > > > > > > Date: Tue, 12 Feb 2002 12:30:06 -0700 (MST) > > > > > To: Ray Stell <[EMAIL PROTECTED]>(SD569668) > > > > > > > > > > SANS FLASH ALERT: Widespread SNMP Vulnerability > > > > > 1:30 PM EST 12 February, 2002 > > > > > > > > > > To: Ray Stell (SD569668) > > > > > > > > > > Note: This is preliminary data! If you have additional information, > > > > > please send it to us at [EMAIL PROTECTED] > > > > > > > > > > In a few minutes wire services and other news sources will begin > > > > > breaking a story about widespread vulnerabilities in SNMP (Simple > > > > > Network Management Protocol). Exploits of the vulnerability cause > > > > > systems to fail or to be taken over. The vulnerability can be found in > > > > > more than a hundred manufacturers' systems and is very widespread - > > > > > millions of routers and other systems are involved. > > > > > > > > > > As one of the SANS alumni, your leadership is needed in making sure that > > > > > all systems for which you have any responsibility are protected. To do > > > > > that, first ensure that SNMP is turned off. If you absolutely must run > > > > > SNMP, get the patch from your hardware or software vendor. They are all > > > > > working on patches right now. It also makes sense for you to filter > > > > > traffic destined for SNMP ports (assuming the system doing the filtering > > > > > is patched). > > > > > > > > > > To block SNMP access, block traffic to ports 161 and 162 for tcp and > > > > > udp. In addition, if you are using Cisco, block udp for port 1993. > > > > > > > > > > The problems were caused by programming errors that have been in the > > > > > SNMP implementations for a long time, but only recently discovered. > > > > > > > > > > CERT/CC is taking the lead on the process of getting the vendors to get > > > > > their patches out. Additional information is posted at > > > > > http://www.cert.org/advisories/CA-2002-03.html > > > > > > > > > > A final note. > > > > > > > > > > Turning off SNMP was one of the strong recommendations in the Top 20 > > > > > Internet Security Threats that the FBI's NIPC and SANS and the Federal > > > > > CIO Council issued on October 1, 2001. If you didn't take that action > > > > > then, now might be a good time to correct the rest of the top 20 as well > > > > > as the SNMP problem. The Top 20 document is posted at > > > > > http://www.sans.org/top20.htm > > > > > > > > > > ----- End forwarded message ----- > > > > > > > > > > -- > > > > > =============================================================== > > > > > Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC 28^D > > > > > -- > > > > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > > > > -- > > > > > Author: Ray Stell > > > > > INET: [EMAIL PROTECTED] > > > > > > > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > > > > San Diego, California -- Public Internet access / Mailing Lists > > > > > -------------------------------------------------------------------- > > > > > To REMOVE yourself from this mailing list, send an E-Mail message > > > > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > > > > the message BODY, include a line containing: UNSUB ORACLE-L > > > > > (or the name of mailing list you want to be removed from). You may > > > > > also send the HELP command for other information (like subscribing). > > > > -- > > > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > > > -- > > > > Author: Joan Hsieh > > > > INET: [EMAIL PROTECTED] > > > > > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > > > San Diego, California -- Public Internet access / Mailing Lists > > > > -------------------------------------------------------------------- > > > > To REMOVE yourself from this mailing list, send an E-Mail message > > > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > > > the message BODY, include a line containing: UNSUB ORACLE-L > > > > (or the name of mailing list you want to be removed from). You may > > > > also send the HELP command for other information (like subscribing). > > > > -- > > > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > > > -- > > > > Author: > > > > INET: [EMAIL PROTECTED] > > > > > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > > > San Diego, California -- Public Internet access / Mailing Lists > > > > -------------------------------------------------------------------- > > > > To REMOVE yourself from this mailing list, send an E-Mail message > > > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > > > the message BODY, include a line containing: UNSUB ORACLE-L > > > > (or the name of mailing list you want to be removed from). You may > > > > also send the HELP command for other information (like subscribing). > > > > > > -- > > > =============================================================== > > > Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC 28^D > > > -- > > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > > -- > > > Author: Ray Stell > > > INET: [EMAIL PROTECTED] > > > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > > San Diego, California -- Public Internet access / Mailing Lists > > > -------------------------------------------------------------------- > > > To REMOVE yourself from this mailing list, send an E-Mail message > > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > > the message BODY, include a line containing: UNSUB ORACLE-L > > > (or the name of mailing list you want to be removed from). You may > > > also send the HELP command for other information (like subscribing). > > -- > > Please see the official ORACLE-L FAQ: http://www.orafaq.com > > -- > > Author: Joan Hsieh > > INET: [EMAIL PROTECTED] > > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > > San Diego, California -- Public Internet access / Mailing Lists > > -------------------------------------------------------------------- > > To REMOVE yourself from this mailing list, send an E-Mail message > > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > > the message BODY, include a line containing: UNSUB ORACLE-L > > (or the name of mailing list you want to be removed from). You may > > also send the HELP command for other information (like subscribing). > > -- > =============================================================== > Ray Stell [EMAIL PROTECTED] (540) 231-4109 KE4TJC 28^D > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.com > -- > Author: Ray Stell > INET: [EMAIL PROTECTED] > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 > San Diego, California -- Public Internet access / Mailing Lists > -------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Joan Hsieh INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
