Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Truncating the audit trail"] [Next entry: "The SANS S.C.O.R.E. Oracle security checklist has been updated"]

Arup Nanda is interviewed about the Oracle security patch nightmare

I just came across an interview by Robert Westervelt a news writer for that was written yesterday 21-09-04. The article is here. Arup is a very well known Oracle security expert and has written an excellent book "Oracle privacy security auditing" published by Rampant press which is all about getting an Oracle database to comply with the HIPAA, SO and GLB acts in the USA. The book is very well written and covers good ground. I plan to review it in the near future here. Arup is interviewed about the issues with the first of the new monthly patch releases from Oracle, the infamous alert #68. His concerns centre on the fact that Oracle have released very little information about the large number of security fixes this patch addresses and the fact that this makes it hard for customers to know which functions of Oracle need patching.

I agree with Arups concerns whole heartedly. I know now that a lot of the actual vulnerabilities are described in much more detail on the researcherís sites who found the issues. Take a look for instance at the extra information detailed on my alerts page for the bugs I found and those Alex Kornbrust found.

I can also only agree with Arup that I hope Oracle provide better information on future alerts so that DBA's can understand the risks of applying or not immediately applying the patches.