Vulnerability Note VU#782567
Objectivity/DB administration tools lack authentication
Overview
The administration tools (i.e. ookillls, oostopams, etc) for Objectivity/DB do not require authentication for local or remote operation.
Description
Objectivity/DB comes with several administration tools for database maintenance. By design, these tools do not require authentication. An attacker can emulate the functionality of the administration tools with a custom script as well. |
Impact
An unauthenticated remote attacker can run commands on the database server. Confidentiality, Integrity, and Availability of the data can be compromised by the attacker. |
Solution
We are currently unaware of a practical solution to this problem. |
Appropriate firewall rules should be implemented to restrict remote access to only trusted sources or blocked entirely and administration only done locally. TCP ports 6779 and 6780 should be filtered. |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Objectivity Inc | Affected | 05 Nov 2010 | 02 Dec 2010 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
Credit
Thanks to Jeremy Brown for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
- CVE IDs: Unknown
- Date Public: 13 Jan 2011
- Date First Published: 13 Jan 2011
- Date Last Updated: 13 Jan 2011
- Severity Metric: 5.52
- Document Revision: 11
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.