Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Interview with Oracle's security chief"] [Next entry: "Imperva discovers a critical access control bypass in login bug"]

January 2006 Critical Patch Update Oracle security patch is released

The latest in the series of quarterly patch updates has been released. The advisory is titled "Oracle Critical Patch Update - January 2006" and is available from the Oracle security alerts page. As is now usual there are three categories of products affected. The first are the base product releases that are still covered by error correction support or extended error correction support. The second category are products and components bundled with the first category, the third category are products that are no longer supported as base installs but are bundled in some cases with products from category one.

A new addition with this advisory is that Oracle has provided a new tool to check default account passwords. This is available from Metalink only as patch 4926128. This is the tool announced recently to combat the potential threat of the voyager worm. Of course a much better, in terms of the number of default accounts checked, default password checker is available from this site.

The advisory also this time includes three fixes for client only installs. These are issues DBC02, DBC01 and JN01.

There are a number of new names for researchers credited in the credit section, this can only be taken as an indication that more and more people are becoming interested in Oracle security. This can only be a good thing in the long term.

There are 29 database related bugs fixed in this release. Quite a few relate to package procedures and commands in the database, so whilst the exploit is not obvious the package or command that is vulnerable is obvious.

There are then 3 client bugs, 3 HTTP server and 3 Oracle Workflow cartridge bugs.

There are then 17 Oracle application server related bugs listed, some of which are duplicate from the first section. There are then 20 Oracle Collabortaion server bugs again including 5 from previous sections. There are 27 Oracle Applications (E-Business Suite) bugs again including 8 listed in previous sections and finally there is one PeopleSoft bug and one JD Edwards bug fixed.

This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands.

As always apply the patches as soon as possible!