Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Security Training, Home For Christmas and a belated happy new year"] [Next entry: "Techa Kucha In York"]

Latest Oracle Security Critical Patch Update is out

The most recent patch Tuesday happened yesterday for Oracle. The sizes of the patches are increasing but that is due solely to the recent aquisition of Sun. The database security patches are the area where I have an interest and the size of the number of fixes is definately dropping in the database. I have to say also that for a long time now patches are not the topic of conversation with customers or at conferences anymore. The major focies seem to be around hardening, core security controls and audit trails. Companies seem to have become aware to the true issues over the last couple of years. Security patches are obviously important and should be installed but they are not the crux of the issue of securing data in an Oracle database. The biggest issues often are a lack of accountability and insufficient controls and excessive privileges and a lack of segregation of duties. Often most of these issues are a remnant of not including security as part of the original design. We can ask Oracle to fix security bugs but we cannot ask them to fix our designs where security is concerned; thats our job!

The January 2011 Oracle critical patch update includes 7 database server issues; one in Audit Vault with a CVSS score of 10, one in Oracle secure backup and 5 in the database. All three areas have remotely exploitable bugs without the need for username and password.