Friday, February 03, 2006

Who got egg on their faces now?

In his rush to publish an unfixed vulnerbility in Oracle E-biz suite, David Litchfield cobble together a quick workaround/fix that he claimed is easy to apply and work. Oracle, predictablely, said that the "fix" will break the E-biz suite and should not be applied. Oh boy, who do believe? Along came Stephen Krost with a detailed analysis of the vulnerbility and Litchfield's "fix" and Stephen showed why the "fix" would not work and will indeed break the Oracle E-biz suite. Stephen has three recommendations with one being to disable mod_plsql and to follow Oracle Metalink Note 287176.1 for configurating your E-Biz suite in a DMZ. By disabling mod_plsql, you are of course disabling certain functionalities and it's up to each organization to determine the impact of loss of functionality vs vulnerability. The second recommendation was to modify the mod_plsql configuration but you will take a performance hit and possibily loss of functionalities as some valid calls to path aliases might be blocked. The last recommendation is status quo and wait for Oracle to release a patch (either emergency or in the next scheduled release). Stephen Krost's analysis could be found at his Integrigy site. If you have not read it, please do.

No comments: