Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Interesting post about PUBLIC privileges in"] [Next entry: "Two more "takes" on the Gartner / Oracle exploit information release reluctance"]

Oracle Users Should Take Security Patch 68 Seriously

I just found the following news item published by Garnter and written by Neil MacDonald and Rich Mogull who say

"On 9 November 2004, in a conversation with Gartner, Oracle declined to provide more detailed information about vulnerabilities its security patch 68 is meant to fix. (This is Oracle's standard policy.) Oracle first issued the security patch on 31 August 2004, and reissued the warning on 14 October after proof of concept exploit code began circulating on the Internet. The patch affects Oracle Database Server, Oracle Application Server and Oracle Enterprise Manager. Oracle gives these patches its most serious "Severity 1" rating."

The complete article can be read here. The article discusses in some detail the issues and also gives a good list of recommendations to Oracles customers in relation to this patch. The authors also take issue at the fact that Oracle refuses to disclose if customers are vulnerable or not by not recognising the difference between releasing exploits and telling customers the implications of not being protected against a particular exploit.