Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Frank has an example on simple J2EE form based authentication"] [Next entry: "Google desktop search"]

Oracle have made some big updates to alert #68

Oracle have made some big updates to the alert #68 advisory. The update is dated 2nd of March. The advisory available from Oracles Critical Patch Updates and Security Alerts page. The advisory is titled "Oracle Security Update Alert #68, Rev 4, 2 March 2005". The main change made for this revision is that Oracle have now detailed out each vulnerability that has been fixed and each has been given an identifier number such as DB20, these numbers are similar to the more recent CPU Jan 2005 advisory. The numbers in alert #68 do not relate to the newer advisory. Oracle have also added a risk matrix for each vulnerability and identified each one with a number, the component - e.g. dictionary, extproc, the require access (protocol), authorisation needed, and then the risk broken down into confidentiality, integrity and availability. The matrix also includes the earliest supported release and also the last affected patch set.

There is also a second section called required conditions which details the conditions needed to exploit the issue. There is also a workarounds section but this only includes a fix for bug DB21.

There is a new matrix for the database and the Oracle application server where there are relevant bugs in each.

This level of information now matches that released in the recent first quarterly patch scheduled release CPU Jan 2005. This level of information for alert #68 is great and I guess will be well received. The pity is that this information was not available at the time of the initial release of the advisory. It would have been more useful then with more customers crying out for detailed information to assist in assessing whether to apply the patches for this advisory.

Well done to Oracle for backdating this information and releasing it. It does show that Oracle is listening to criticisms regarding bugs and fixes in the area of releasing more information to assist customers.