Pete Finnigan's Oracle Security Weblog

I have just seen that the October 2006 Critical Patch Update (CPU) advisory is out. This is the first of the new style advisories and on first inspection the information seems to be better structured than previous advisories. The advisories have been getting better and this is a good stride forward. The fact that the advosory now lists the numbers of bugs that have been fixed and particularly they are borken down into product groups / sets and those that can be exploited remotely without authentication are identified. For the database products there are 63 fixes, 22 in the database all requiring authenticated user access, 6 for the HTTP server, 5 that can be exploited remotely without authentication. Oracle Application Express that comes on the companion CD and is not installed by default comes off worst. It has 35 fixes, 25 of which can be exploited remotely without authentication.

Going onto the tables of actual bugs we can see that the tables have been made much clearer and no longer include the very confusing columns of risk and threats in the previous forms. We now have the CVSS score, whether the bug can be exploited remotely, the privilege required, the access complexity (how easy it is to call the function or feature to exploit it) and the earliest release and the last affected patch sets. The pattern is repeated for each of the database product sets and then the same structure applies for the Application server (14 fixes, 13 of which can be exploited remotely without authentication), Collaboration Suite (12 fixes, 11 remote without authentication), E-Business Suite (13 fixes, one remote without authentication) and finally 8 Peoplesoft and one JD Edwards bugs fixed.

I am impressed that there is a simple check provided to test if you have HTMLDB installed, I am not impressed that there are 35 fixes in it, although its good that they ahve been fixed.

All in all I am impressed by the new style advisory, its not perfect, it is much better than it was, at the end of the day you cannot please everyone and provide all the information possible. The main thing for me is to help the DBA decide whether to patch quickly, to identify which products / features / functions are affected and to help them make a decision based on the risk. The remote bugs that do not require authentication is a great step towards identifying the risk, they stand out, the product is identified and itseasier to decide.

There is a lotof fixes this time, thats good that Oracle have managed to process this amount of fixes, from this they seem to be getting on top of the bug fixing. Well done Mary Ann and the rest of the team. Lets hope it gets to a point where we have advisories with one r tow bugs to patch as soon as possible!