Clarifying OpenSSL protocol vulnerabilities |
 |
EXPERT RESPONSE FROM: Brian Peasland
|
|
|
| > |
QUESTION POSED ON: 22 December 2003
Quote from SearchOracle.com Dec. 8 says "Oracle Corp. on Friday confirmed that a variety of its server products could be tampered with through vulnerabilities via the OpenSSL protocol." My understanding is this: The vulnerability exists if using OpenSSL protocol. If users access all databases behind firewall via intranet, then tampering can only come from internal employees. Correct?
|
|
| > |
|
To a point, this is correct. The OpenSSL vulnerability can only be
exploited if someone has access to your database server. For these
types of security reasons, many organizations place their database
server behind a firewall, and rightfully so. However, application
servers, which typically sit in a "De-militarized zone (DMZ)" area of
the firewall, not only allow open access to the application server but
also need a firewall hole poked to let the application server connect
to the database. Depending on your level of security and your network
configuration, it is possible for someone in the outside world to be
able to exploit this security hole. For that reason, I make the
appropriate security fixes for the database even if the database is
inside the company's firewall.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
