Skip to main content

Create CVE links on Oracle CPU Page

As you probably know oracle releases CPUs (Critical Patch Updates) in every 3 month now. If you have ever read any of these CPU Advisories you know it does not make too much sense to read these. But they exist. Since CPUJul2008 Oracle replaced its internal numbering (like DBnn) with CVE (Common Vulnerabilities and Exposures) numbering. Does it make any sense? In my opinion it would but it does not in this way. These CVEs does NOT contain any really useful information. The CVE database is an open database anybody can access. If they are using CVE numbers why Oracle not creating links from the Advisory page to the CVE pages? Would not it be more comfortable just to click on a link if you are interested in details instead of searching for CVE numbers manually? I think the missing link is the confession of how useless this numbering is in case of Oracle. If you read a CPU Advisory released after Jul 2008 you will find CVE numbers before every identified security bug but if you want to check the CVE you have to find it by hand and you will find no more info even on that page. So it does not make much sense because the CVE has NO useful info in it but here is a VERY SIMPLE GreaseMonkey script which inserts two links after the CVE you can click on and immediately check the "details" of the CVE.
But I repeat the CVE links are not in the CPU Advisory because the CVE does NOT contain any relevant info about the security problem.
I hope it will change in the near future and CVE or CPU will give us some useful detail.

// ==UserScript==
// @name          Oracle CPU Risk Matrix CVE- Link Creator
// @namespace     http://tamastarjanyi.blogspot.com/
// @description   Replaces simple CVE text on Oracle CPU pages (Like http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html ) to links
// @include       http://*.oracle.com/*
// ==/UserScript==


if (!GM_xmlhttpRequest) {
alert('Please upgrade to the latest version of Greasemonkey.');
}
var  tds=document.getElementsByTagName("td");
var cve=false;
for (i in tds){
if (tds[i].innerHTML.match("CVE-[0-9][0-9][0-9][0-9]-") ){
  cve=true;
  var cvetext=tds[i].innerHTML;
  tds[i].innerHTML=cvetext+" (<a target=_blank href=http://cve.mitre.org/cgi-bin/cvename.cgi?name="+cvetext+">mitre</a> | <a target=_blank href=http://nvd.nist.gov/nvd.cfm?cvename="+cvetext+">nvd</a> )";
}
}
Labels:

Comments

Post a Comment

Popular posts from this blog

Insufficient Disk Space reported under wine

Did you try to install/setup any Windows Application - actually a Game what else could be necessary - and got a message that you do not have enough free space on your drive meanwhile you had lot of free space on the chosen mounted partition? You will learn the problem and hopefully the solution too. (Of course I suppose it is not the real situation you have no enough space. If so do not read ahead.) The problem is that wine does not check the amount of free space on the mounted partition corresponds to the selected directory but reports the free on the root of the directory the partition mounted to . ;( Probably it is not clean so here is an example: Let say you have / only and something is mounted as /mnt/part1 If you directly select /mnt/part1 during installation wine will check free space in fact on / and does not calculate free on the partition mounted under /mnt/part1. How to solve it you may ask? It is easy. Start winecfg and create a new drive with the directory you want to use....
Post a Comment
Read more

User based queue mapping for Capacity Scheduler

When I  started to use Capacity Scheduler hierarchical queue features on top of Hortonworks' HDP 2.0 I have immediately realized that I need automatic assignment of job to queue based on username. Sounds easy and useful? Yes! But could not find any configuration parameter and example for that. I found only references to use mapred.job.queuename config option. This can be configured in HIVE via set mapred.job.queuename=yourqueue or using -Dmapred.job.queuename=yourqueue as a hadoop command argument. After some hours of unavailing googling I have checked the corresponding code part and have been shocked. This is available only since HADOOP-2.6 (HDP-2.2). Check YARN-2411 for details. According to the CHANGELOG this is a relatively new feature. So sadly this is not available to me until an upgrade. :( See below an example based on YARN-2411 to use it in Hadoop 2.6 or higher for Hortonworks HDP-2.2 1. user1 is mapped to queue1, group1 is mapped to queue2: yarn.schedul...
Post a Comment
Read more

Python Azure ML SDK issue on Ubuntu 22.04

It has been quite a while since I posted last time. Why? Because simply I did not run into any issue worth to share. But now! I did.  Recently we are doing some Machine Learning on Azure using Azure Machine Learning Python SDK. No problem you might think. Well. As it turned out Ubuntu 22.04 is not supported. And this is clearly said in a message. Which is in fact a lie. The Error message: NotImplementedError: Linux distribution ubuntu 22.04 does not have automatic support. Missing packages: {'liblttng-ust.so.0'} .NET Core 3.1 can still be used via `dotnetcore2` if the required dependencies are installed. Visit https://aka.ms/dotnet-install-linux for Linux distro specific .NET Core install instructions. Follow your distro specific instructions to install `dotnet-runtime-*` and replace `*` with `3.1.23`. Ok but what is this? And why? So as the error mentions dotnetcore2==3.1.23 Python package uses .NET Core 3.1 but Ubuntu 22.04 has only dotnet6 packages. And also Micro...
Post a Comment
Read more