The latest in the sequence of Oracle critical patch updates - the "Oracle Critical Patch Update - October 2007" is out this evening. The advisory states that there are 51 new security fixes across all products. This is the first CPU that uses the CVSS version 2.0 scoring mechanism / algorithm. The credits go out to the usual bunch of people, including Esteban, David, Alex and Joxean. A new name is Johannes Griel of SEC.
There are 27 fixes for the database itself and of those 5 can be exploited remotely over a network connection without a username and password. These issues alone should be enough for anyone to consider patching as soon as possible. The application server includes 11 fixes of which 7 again can be remotely exploited across a network connection without a username and password. There are 8 new fixes for E-Business Suite and one of those is again remotely exploitable without authentication. OEM has 2 fixes. Peoplesoft and JD Edwards 2 fixes.
What is interesting are the CVSS scores, why would remotely exploitable bugs without authentication get lower scores that those that require a valid connection to the database? presumably because more people have access to authenticated sessions or opprtunity to create those sessions that non-authenticated ones. i.e. thousands of users may have an application account that accesses the database and it may be posisble to exploit via the application interface or a web interface but a much smaller number of people can get direct TNS access to the database?
The number of fixes is not the maximum seen over the period that we have had quarterly patches but its not massively low, 51 fixes is still a lot of security fixes for a company to issue. Is the trend going down or not?
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Nice paper on time based blind SQL"] [Next entry: "Oracle Issues Pile of 51 Security Patches"]
October 2007
- The first Oracle 11g password cracker - 10/02/2007 by 10/02/2007
- Nice SQL Injection cheat sheet - 10/03/2007 by 10/03/2007
- Weakness in Oracles new 11g authentication protocol - 10/08/2007 by 10/08/2007
- The fastest Oracle password cracker in the world is released!!! - 10/09/2007 by 10/09/2007
- Extreme SQL Injection - 10/10/2007 by 10/10/2007
- Oracle October CPU pre-release analysis - 10/13/2007 by 10/13/2007
- Creating a SYSDBA backdoor - 10/15/2007 by 10/15/2007
- October 2007 Critical Patch Update (CPU) is out - 10/16/2007 by 10/16/2007
- Oracle Issues Pile of 51 Security Patches - 10/17/2007 by 10/17/2007
- Oracle plugs critical database, application flaws - 10/18/2007 by 10/18/2007
- Oracle 11g for Windows is available - 10/23/2007 by 10/23/2007
- CheckPwd version 2 A12 is released - 10/24/2007 by 10/24/2007
- Nice ideas to scrape the alert log in Windows - 10/25/2007 by 10/25/2007
- David Litchfield has started a new blog - 10/27/2007 by 10/27/2007
- Oracle Database Buffer overflow vulnerability in function MDSYS.SDO_CS.TRANSFORM - 10/29/2007 by 10/29/2007
- Simple Oracle 11g Password check PL/SQL script - 10/30/2007 by 10/30/2007
- Does Oracle's Database Need More Security? - 10/31/2007 by 10/31/2007
Archives
Syndication
Powered by gm-rss 2.0.0
