On getting rid of (unpatched) Oracle 9i and lower versions

During the Planboard symposium I did some live demos of Nmap and Metasploit. Some called it brave, others called it foolish. In the end some demos that I had prepared and succesfully tested only the night before took a nose dive on stage. So next time, I definitely go with prepared videos.

At a certain point I showed the Oracle exploits that Metasploit has in its database (with the easy command “search exploits oracle”). Quite a few actually, but some of these only work on versions like 9i and lower. So I said to the audience: “If I would do my demos against a 9i database you would take me for some kind of crook. Because, after all, who’s using 9i databases anymore?” At that point some uneasy coughs could be heard in the room. On which I asked “okay, who still has 9i databases to maintain?” and at least 10 hands went up.

I might have been spoiled ever since I started working at Rabobank Nederland. All these standard supported database environments and such. It’s very easy to start believing that every organisation works like that.

Still, it is very possible to hack an Oracle 9i database. Especially if you never got the idea or chance to patch or secure that 9i database. I don’t like to get preachy, but unfortunately I know how easy it is to hack an Oracle 9i database. It’s like seeing motor drivers with only shorts and a t-shirt on and no helmet, doing 170 km per hour on the freeway. How can you not get preachy about that?

Still, I’m not blind to how these situations occur. Not every Oracle shop is a bank. It is usually one of the following reasons that DBAs never get rid of 9i or older databases:

  1. You are actually an OS administrator/<other db vendor> DBA/application administrator/middleware administrator/developer/etc.., and got this extra work on your plate. And you never get time to do any job properly. The very thought of asking to upgrade an Oracle database makes you very tired, because you have already lost your previous 8 weekends to maintenance work.
  2. You actually are a dedicated Oracle DBA, but you are actually tasked to continually update the application with SQL scripts and middleware stuff. That you also backup the database is actually a nice bonus to your superiors (until an actual restore is necessary of course).
  3. You would like nothing better than run up-to-date Oracle systems, but it’s a single instance system that can make or break the company. It was created once in 1998 and the business only allows you 1 hour of maintenance downtime every decade. Except for application updates of course, because these are important.
  4. The application doesn’t work on any version higher than 9i. Or was never certified against anything from the 21st century. Because the vendor is in a niche market and is so small they only have the resources to certify their application every half a century.
  5. You are actually a dedicated DBA and have followed an Oracle 7.3 training and.. still do everything by the 7.3 book. Even on 10g systems you set your tables with maxextents on 121 and keep exporting/importing with compressed extents, because that’s how you learned that one day… 17 years ago. Or you got more interested in online poker than updating your knowledge/carreer. (I’m not making this up entirely).

What to do? Well, who am I to speak?

Well in case of option 5: can’t you give your job to someone who actually cares?

In case of option 1: I can very much understand you would like to see your family every 2 months. You need extra personnel. And if that is no option, I would regularly scan the job marked for anything better. You never know. It isn’t all doom and gloom. Unless you fall under option 5.

In case of option 2 and 3: try to get as much attention for proper IT administration as you can get. Paint a vivid picture about what state your company would be in if a database actually got hacked. Show in a presentation how the front page of a newspaper would look like if word got out that the company actually got hacked. Read some books about sales and marketing to get ideas on how to sell the idea why it’s important to have a properly updated and patched system. And if that doesn’t work: get your superiors to sign that they knowingly left the system unpatched and understand all the risks involved. They will probably don’t like the idea of signing that. And that usually makes them think a little harder about what you are trying to tell them.

In case of option 4: first do the same as with option 2 and 3. Get attention for having properly updated systems. Then ask you superiors to get that vendor to work. If they don’t listen to a lowly DBA, maybe they listen to the people who pay for those licenses. I know at least one occasion that a DBA got this working (can’t seem to find the English version of this story. Perhaps time to tell it again).

“Easy for you to say”, is of course the easiest response to all of that. The idea is not that it guaranteed will work. The idea is to try. Because, when the database does get hacked, they will probably ask why you didn’t do the work. Because then suddenly everyone knows the importance of updating and patching.. and complex passwords.. and encryption… etc..etc..  And then it’s probably better if you can show you tried all your might.

About Marcel-Jan Krijgsman

Marcel-Jan is de PR-functionaris van de Werkgroep Maan en Planeten. Hij verzorgt ook het nieuws op de Facebook pagina en deze blog.
This entry was posted in Oracle security and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s