Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Making Oracle Forms more secure"] [Next entry: "More insights to CPU 12 April and public exploit code"]

Esteban Martinez Fayo releases his security advisories for CPU 12 April

Esteban Martinez Fayo just emailed me to let me know that he has released advisories for the bugs he found in Oracle that were patched with the CPU 12 April patch set. His bugs were found for Application Security Inc. Esteban has found five bugs, these can be found on Application Security Inc's Oracle Security Alerts page. The bugs are Denial of Service in Oracle interMedia, http://www.appsecinc.com/resources/alerts/oracle/2005-02.html - (broken link) Multiple SQL Injection vulnerabilities in DBMS_CDC_SUBSCRIBE and DBMS_CDC_ISUBSCRIBE packages, Multiple SQL Injection vulnerabilities in DBMS_METADATA package, http://www.appsecinc.com/resources/alerts/oracle/2005-04.html - (broken link) SQL Injection in ALTER_MANUALLOG_CHANGE_SOURCE procedure and http://www.appsecinc.com/resources/alerts/oracle/2005-05.html - (broken link) SQL Injection in CREATE_SCN_CHANGE_SET procedure.

These advisories are worth reading as they give quite a lot more detail than Oracle's own advisory.