Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Nice paper on time based blind SQL"] [Next entry: "Oracle Issues Pile of 51 Security Patches"]

October 2007 Critical Patch Update (CPU) is out

The latest in the sequence of Oracle critical patch updates - the "Oracle Critical Patch Update - October 2007" is out this evening. The advisory states that there are 51 new security fixes across all products. This is the first CPU that uses the CVSS version 2.0 scoring mechanism / algorithm. The credits go out to the usual bunch of people, including Esteban, David, Alex and Joxean. A new name is Johannes Griel of SEC.

There are 27 fixes for the database itself and of those 5 can be exploited remotely over a network connection without a username and password. These issues alone should be enough for anyone to consider patching as soon as possible. The application server includes 11 fixes of which 7 again can be remotely exploited across a network connection without a username and password. There are 8 new fixes for E-Business Suite and one of those is again remotely exploitable without authentication. OEM has 2 fixes. Peoplesoft and JD Edwards 2 fixes.

What is interesting are the CVSS scores, why would remotely exploitable bugs without authentication get lower scores that those that require a valid connection to the database? presumably because more people have access to authenticated sessions or opprtunity to create those sessions that non-authenticated ones. i.e. thousands of users may have an application account that accesses the database and it may be posisble to exploit via the application interface or a web interface but a much smaller number of people can get direct TNS access to the database?

The number of fixes is not the maximum seen over the period that we have had quarterly patches but its not massively low, 51 fixes is still a lot of security fixes for a company to issue. Is the trend going down or not?