Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A Russian language news article about unfixed Oracle security bugs disclosure"] [Next entry: "Oracle dragging heels on unfixed flaws, researcher says"]

Sun has released an alert notification (15 July 2005) about multiple security vulnerabilities in Oracle affecting SunMC

Sun has released an alert notification (Sun Alert ID 101782) dated 15 July 2005 and titled "Mulitple Security Vulnerabilities in Oracle Affect SunMC" - The synopsis states that unprivileged local or remote users can execute arbitary code on Solaris systems which have installed and enabled Sun Management Center (SunMC). The SunMC software runs typically as the user "smcorau" which is unprivileged but it uses the Oracle listener. Therefore it is affected by multiple listener vulnerabilities in Oracle Alert #68. This affects SunMC 3.5 on Solaris 8,9 and 10 that have not had Sun patch 118829-04 applied.

Sun recommends installing patch 118829-04 or later and also installing Oracle's latest Critical Patch Update.

Why release a note now about bugs in Alert #68? - This could be symptomatic of a bigger issue. How many companies use Oracle because another supplier uses it and its part of some other software? If the supplier assumes the person running it has patched or vice versa - then how many Oracle systems are out there not patched?