[Previous entry: "Creating read only users"] [Next entry: "find_all_privs.sql : A script to find all privileges allocated to a user or role"]
Oracle announce that clients also need patching for alert #68
September 30th, 2004 by Pete
Post to del.icio.us
Post to Furl
Yesterday Oracle announced via the FAQ - Note 282108.1 created for the first monthly security patch release - Security Alert #68 that the Oracle clients are also vulnerable. Whether the client also needs to be patched has also been discussed a few times over the last few weeks on lists such as ORACLE-L and c.d.o.*.
Point 21 in the above FAQ discusses the question "is the Oracle client also vulnerable because of the issues fixed in alert 68". It states that some of the issues addressed are also applicable to middle tier installations and also to client only installations. Basically a successful hack of the client will not get you into the database or its server if its been patched with alert 68 but the client is exploitable. Oracle have reduced the severity of the patch to 2 for clients and 2 for application servers if the application server has been patched.
Refer to the pdf on Oracle's OTN site available above for alert #68 and also the FAQ available only on metalink for more details
