Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Users Should Take Security Patch 68 Seriously"] [Next entry: "Oracle announce critical patch update schedule - beginning January 18 2005"]

Two more takes on the Gartner / Oracle exploit information release reluctance

I just found two more news stories about the Gartner report that I wrote about earlier. The first is on TechWeb - It doesn't have an author indicated. It goes into detail about the main thrust of the Gartner analysts report that Oracle have been taken to task for not telling its customers which versions and which products are most vulnerable and also that DBA's and administrators do not have enough information to decide what to patch and which databases are most vulnerable.

I can concur this sentiment as I have had a number of companies ask me how to decide whether their Oracle 7 and 8.0 databases are vulnerable or not and what can be done about it as upgrading is often not realistic. One key message being given on TechWeb and in the original Gartner report is that customers should put pressure on Oracle for more information.

The second article also about the Garnter analysts report is on vnunet. This report covers similar ground and advises that customers review the Alert 68 FAQ regularly, apply the patches, upgrade if possible and set up deep packet inspection if possible or even intrusion detection systems.

Both papers emphasise the issues raised by the Gartner analysts.