Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Search Oracle talks about the Critical Patch Update"] [Next entry: "Michael Singer on Oracles Critical Patch Update"]

Translation of German news article

I posted about a German article a few entries ago. The post was titled "Another critical patch update news article - In German". Alex Kornbrust has kindly translated the article into English for me. He has also spoken to the original author Daniel Bachfeld who has very kindly agreed to let me publish his work in English here.

This article was originally published on the German security portal heise Security. The text in English is as follows:

Oracle close down security holes

Database manufacturer Oracle has published his quarterly CPU, which
close down 23 security holes. Affected products are the database server
(17), application server (3), collab suite (1) and the e-business
suite(2). The errors cover different versions of these products. More
detailed information is contained in the Oracle advisory for this

Different from previously advisories the manufacturer describes in his
advisory additional details concerning the vulnerabilities. He explains
what module contains what error and what additional requirements must
be fulfilled, to exploit these holes -- e.g. if a previous
authorisation is required. Some of the holes are based on buffer
overflows which allows to inject code via the network. Other holes are
based on SQL-Injection and directory traversal, the break out from a
given directory.

The patches are available on the web pages of Oracle for registered
customers. These errors were discovered among others by the specialists
for database security David Litchfield from NGSSoftware, Pete Finnigan
and Alexander Kornbrust, which have released own advisories. According
to the advisory of Kornbrust, Oracle did not patch a buffer overflow
which could crash a database server, for nearly 2 years.

See also:

* Critical Patch Update January 2005 from Oracle
* Vulnerabilities in the Oracle Database Server from NGSSoftware
* Directory Traversal from Peter Finnigan
* Buffer Overflow in Create Database Link in Oracle8i - 9i from
Alexander Kornbrust

Thanks again to Daniel and Alex.