Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "I have updated my RSS feed to output 40 words instead of 20"] [Next entry: "Oracle have issued a second email with another exploitable vulnerability in in CPU 12APR"]

Oracle have issued an email alert that CPU April 2005 is vulnerable to exploit

I got an email from Alex Kornbrust this morning forwarding me an email sent by Oracle today 7th July and issued to all Oracle customers that had downloaded the Critical Patch Update for April 12 from their website. I did not receive this email myself yet. The email starts by saying that the person receiving it is doing so because they downloaded CPU 12 April for Oracle database versions,,, and It goes on to say that a step has been missed from the installation script that caused a JAR file to not be uploaded to the database. If you have not installed the JVM then there is no issue.

It goes on to say how to correct the problem after completing the installation of CPU 12 April. First start up the databases running out of the ORACLE_HOME that has been patched. For each database in the ORACLE_HOME being patched connect to the database with SQL*Plus as SYSDBA and issue the following command:

SQL> exec sys.dbms_java.loadjava('-v -f -r -s -g public rdbms/jlib/CDC.jar');

The email goes on to express apologies.

If you have installed CPU 12 April and if you have also installed the JVM then I urge you to follow these above instructions as your database is currently vulnerable.