Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Debu has an interesting pointer to an Oracle security paper"] [Next entry: "Oracle ships patches seeded with message digest data"]

CPU April 12 - 2005 is released

Oracle has released not long ago the advisory and patch set for the second quarterly scheduled patch fix. This advisory is called "Critical Patch Update - April 2005" and is available from Oracle's security alerts page.

This advisory follows the more detailed information trend started with alert 68 and Critical Patch Update - January 2005 and includes detailed information for each bug (no details on how to exploit or example code) and a risk matrix for each bug. This is good information.

There are a few comments worth making though. The first is that there are quite a lot of fixes aimed at the Oracle HTTP server, the email server and calendar. This means that customers who use these components should be wary of their security posture and should patch quickly.

The second observation is that this advisory and patch set includes fixes for PeopleSoft software; an interesting addition after the recent purchase.

Also the number of people credited with finding bugs this time is low, just three, David Litchfield, Stephen Kost and Esteban Mart�nez Fay�. It is interesting that Alex is not mentioned considering he has just released a paper on a default installation SQL Injection issue in Oracle Forms that was delayed until this CPU presumably because of a fix.

It is also interesting that Alex has a list of 40 Oracle bugs that are not fixed yet, some reported in 2003!, Esteban Mart�nez Fay� also said in a recent paper "Advanced SQL Injection in Oracle databases" that over 65 PL/SQL and SQL buffer overflows had been reported and not fixed yet.

Oracle have made great strides forwards with the amount of information released with their patches and advisories lets hope they can clear this apparent backlog of security fixes now.