Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Creating read only users"] [Next entry: "find_all_privs.sql : A script to find all privileges allocated to a user or role"]

Oracle announce that clients also need patching for alert #68

Yesterday Oracle announced via the FAQ - Note 282108.1 created for the first monthly security patch release - Security Alert #68 that the Oracle clients are also vulnerable. Whether the client also needs to be patched has also been discussed a few times over the last few weeks on lists such as ORACLE-L and c.d.o.*.

Point 21 in the above FAQ discusses the question "is the Oracle client also vulnerable because of the issues fixed in alert 68". It states that some of the issues addressed are also applicable to middle tier installations and also to client only installations. Basically a successful hack of the client will not get you into the database or its server if its been patched with alert 68 but the client is exploitable. Oracle have reduced the severity of the patch to 2 for clients and 2 for application servers if the application server has been patched.

Refer to the pdf on Oracle's OTN site available above for alert #68 and also the FAQ available only on metalink for more details