Where to find database vulnerabilities not yet fixed; Coming January 18 - February 1

Wednesday Jan 13th 2010 by DatabaseJournal.com Staff

“During the time our position to responsible disclosure policy has been evolved and now we do not support it. Because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free.” -- Evgeny Legerov

If you haven’t heard yet, a Russian security firm, Intevydis, has become so frustrated with the unresponsiveness of vendors that they have pledged to reveal details of undisclosed flaws in enterprise applications (including databases) they have discovered for the remainder of January. This started January 11th and currently has the two vulnerabilities posted on the Intevydis blog:
  • Jan. 11 - Sun Directory Server 7.0 core_get_proxyauth_dn DoS
  • Jan. 12 - Tivoli Directory Server 6.2 do_extendedOp DoS
So how do your applications and databases stack up in the mix? Here is the current schedule of exposures according to the Intevydis blog:
  • [January 11, January 17] – week of directory server bugs, 0days in Novell eDirectory, Sun Directory, Tivoli Directory..etc
  • [January 18 - January 24] – week of web server bugs, 0days in Zeus Web Server, Sun Web Server, Apache(?)..etc
  • [January 25 - February 1] – week of database bugs, inspired by our research for DBJIT Toolset, 0days in Mysql, IBM DB2, Lotus Domino, Informix, Oracle(?)…and hopefully more
It is nice to see that they have saved the databases until last. Maybe the vendors will respond between now and then to remedy the riff that has occurred and our databases will remain safe.
Mobile Site | Full Site