Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "OWASP Leeds meeting slides available"] [Next entry: "Health Data Theft"]

Oracle's October pre-cpu advisory is released

Oracles usual pre-release for the CPU (Critical Patch Update) for October has been released. The pre-release document is usually released the Thursday before the CPU; the CPU is due out next Tuesday the 20th October. The CPU should have been out this Tuesday though but Oracle delayed this CPU because of Open World.

The CPU contains 38 security fixes (16 for the database) but if we consider Oracles internal fixing rate (i.e. security bugs that are not individually recognised on the advisory) may actually indicate that could be 123 silently fixed bugs (who knows!).

The bigger worry is that for this CPU 16 bugs are fixed in the database, one is for the client only and 6 are exploitable remotely without a username and password. The highest CVSS score is 10.0 for Windows and 7.5 for other platforms.

The cynical view when Oracle delayed the release of the CPU before Open World to allow DBA's to attend without worrying about applying patches was that there was bad news coming. Well the number of bug fixes is not astronomical but the news is bad, 6 remotely exploitable bugs without authenication and a CVSS of 10.0 is not exactly good news. The pre-release is now issued after Open World with this news.