Cisco Unified Communications Manager is vulnerable to a SQL Injection attack in the parameter key of the admin and user interface pages. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The risk is LOW. An authenticated attacker may be able to exploit this vulnerability to extract records from the Cisco Unified Communications Manager database. A successful attack might retrieve sensitive data such as user names, passwords hashes, and information from call records. An attacker cannot use this vulnerability to alter or delete call record information from the database.
oar-database(1) OAR commands oar-database(1)NAME
oar-database - create/initialize/upgrade/reset/drop the oar database
SYNOPSIS
oar-database --create [OPTIONS]
oar-database --drop [OPTIONS]
oar-database --setup [OPTIONS]
oar-database --reset [OPTIONS]
DESCRIPTION
Manage the oar database.
--setup
Initialize/Upgrade an existing database.
--reset
Reset an existing database.
--create
Create and initialize a new database/user.
--drop
Drop an existing database/user.
OPTIONS
General parameters
--conf=OAR_CONF_FILE
Define the oar configuration file to use. By default /etc/oar/oar.conf is used. This file doesn't exist, the default parameters for
each value are used.
--update-conf
The database parameters given in the command line are writen to the OAR_CONF_FILE
-h,--help
Display this help.
-d,--debug
Display more information during the script execution
-f,--force-sql
Force to resume the execution even if an sql instruction fails
-y,--force-yes
This option will cause oar-database to continue without prompting if it is doins something potentially harmful
Database admin parameters
These parameters are only needed for database/user creation or removing.
--db-is-local
For --create or --drop, this option tells that the database is local. oar-database can use local admin account to execute command
(useful for postgres).
--db-admin-user=DB_ADMIN_USER
For --create or --drop, this option gives the privilegied user to use.
--db-admin-pass=DB_ADMIN_PASS
For --create or --drop, this option gives the privilegied user pass to use.
SQL parameters
By default, if not specified, all the sql parameters are taken from the OAR_CONF_FILE. It is preferable to set these values directly to
this file.
--db-type=DB_TYPE
The type of the SQL database. It can be currently, mysql or Pg (for postgresql).
--db-user=DB_USER
Connect to the database as the user DB_USER instead of the one given in OAR_CONF_FILE. By default, if OAR_CONF_FILE doesn't specify a
user, it is oar.
--db-pass=DB_PASS
Connect to the database with the password DB_PASS instead of the one given in OAR_CONF_FILE.
--db-host=DB_HOST
Connect to the database on the host DB_HOST, By default, if OAR_CONF_FILE doesn't specify a host, it is localhost.
--db-port=DB_PORT
Connect to the database on the port DB_PORT, By default, if OAR_CONF_FILE doesn't specify a port, the value depend on the DB_TYPE. if
DB_TYPE is mysql, DB_PORT is 3306. If DB_TYPE is postgresql, DB_PORT is 5432.
--db-name=DB_NAME
Connect to the database on the host DB_HOST, By default, if OAR_CONF_FILE doesn't specify a database name, it is oar.
--db-ro-user=DB_RO_USER
same as --db-user except that it is for the read only access.
--db-ro-pass=DB_RO_PASS
same as --db-pass except that it is for the read only access.
EXAMPLES
Mysql
First you need to specify the sql parameters in /etc/oar/oar.conf. These parameters will be used by oar-database.
To create a new database (assuming that the sql root password is PASS):
oar-database --create --db-admin-user root --db-admin-pass PASS
To upgrade an existing database:
oar-database --setup
Postgresql
First you need to specify the sql parameters in /etc/oar/oar.conf. These parameters will be used by oar-database. Then if your postgresql
database is on the local system, you can use the option --db-is-local (otherwise, the procedure is the same as Mysql). So oar-database will
use the postgres unix user to administrate the database (you need privilegied access to the local system).
To create a new database:
oar-database --create --db-is-local
To upgrade an existing database:
oar-database --setup
Advanced usages
To make some tests or to administrate several databases, you can also specify the sql parameters on the command line. For example:
oar-database --create --db-type=Pg --db-host=HOST--db-user=oar --db-pass=PASS
--db-admin-user=ADMIN_USER --db-admin-pass=ADMIN_PASS
will create the oar database and the oar user on the postgresql system hosted by HOST. The user ADMIN_USER must have the right to create
new databases and new roles on this system.
FILES
/usr/lib/oar/database/mysql_structure.sql, /usr/lib/oar/database/pg_structure.sql
SQL instructions for creating the structure of the oar database.
/usr/lib/oar/database/mysql_default_admission_rules.sql, /usr/lib/oar/database/pg_default_admission_rules.sql
SQL instructions for inserting the default admission rules in the oar database.
/usr/lib/oar/database/default_data.sql
SQL instructions for inserting the default data in the oar database.
/usr/lib/oar/database/mysql_reset_structure.sql, /usr/lib/oar/database/pg_reset_structure.sql
SQL instruction for emptying an existing oar database.
/usr/lib/oar/database/mysql_structure_upgrade_*.sql, /usr/lib/oar/database/pg_structure_upgrade_*.sql
SQL instructions for upgrading an existing database.
oar-database 2012-06-26 oar-database(1)