Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Critical Patch Update July 12 2005 is available"] [Next entry: "Self signed SSL certificates with JInitiator"]

CPU 12 July 2005

There are 47 security bugs fixed in this Critical Patch Update and these are spread across quite an array of Oracles products. The database is affected for versions 8.0.6, 8i Release 3, 9i release 1 and 2 and 10g Release 1. This time Enterprise manager Grid Control 10g, 10g Database Control and Application Server Control are affected. Oracle 9i Application server 9i release 1 and 2 and 10g are affected as are Collaberation Suite release 2 and E-Business Suite and applications 11.0 and 11i. Finally Workflow 11.5.1 to, Forms and Reports and, JInitiator, versions 1.1.8, 1.3.1, Developer Suite, versions, 9.0.4,, 9.0.5, 10.1.2 and Express Server, version

There are no vulnerabilities affecting installed clients that are not accompanied by a database server install. This CPU July 2005 does not need to be installed on client only installations if a previous CPU has been applied or alert #68.

There is a pre-installation note and risk matrix for each group of products. It is interesting to note that Oracle says it has tested each vulnerability in isolation and has not tested for blended attacks using more than one of the reported vulnerabilities.

Quite a few people are credited with discovering bugs. These include Alex Kornbrust, Esteban Mart�nez Fay�, Gerhard Eschelbeck, Stephen Kost , David Litchfield, - (broken link) Michael Murray, Aaron C. Newman and - (broken link) Mike Sues. There are a few new names that we have not normally seen in the recent times of Oracle Security bugs.

It is also quite interesting that this time there are no PeopleSoft fixes included in this patch update.

There are then five sections detailing the bugs found. There is not a great deal of detail as usual. Only sparse mention of components and packages that are vulnerable. Sometimes this is enough to get an idea of the type of bug involved.