Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 20 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » January 2005 » Translation of www.Heise.de German news article

[Previous entry: "Search Oracle talks about the Critical Patch Update"] [Next entry: "Michael Singer on Oracles Critical Patch Update"]

Translation of www.Heise.de German news article

January 21st, 2005 by Pete

Post to del.icio.us   Post to Furl   Digg!

I posted about a German article a few entries ago. The post was titled "Another critical patch update news article - In German". Alex Kornbrust has kindly translated the article into English for me. He has also spoken to the original author Daniel Bachfeld who has very kindly agreed to let me publish his work in English here.

This article was originally published on the German security portal heise Security. The text in English is as follows:

Oracle close down security holes

Database manufacturer Oracle has published his quarterly CPU, which
close down 23 security holes. Affected products are the database server
(17), application server (3), collab suite (1) and the e-business
suite(2). The errors cover different versions of these products. More
detailed information is contained in the Oracle advisory for this
update.

Different from previously advisories the manufacturer describes in his
advisory additional details concerning the vulnerabilities. He explains
what module contains what error and what additional requirements must
be fulfilled, to exploit these holes -- e.g. if a previous
authorisation is required. Some of the holes are based on buffer
overflows which allows to inject code via the network. Other holes are
based on SQL-Injection and directory traversal, the break out from a
given directory.

The patches are available on the web pages of Oracle for registered
customers. These errors were discovered among others by the specialists
for database security David Litchfield from NGSSoftware, Pete Finnigan
and Alexander Kornbrust, which have released own advisories. According
to the advisory of Kornbrust, Oracle did not patch a buffer overflow
which could crash a database server, for nearly 2 years.

See also:

* Critical Patch Update January 2005 from Oracle
* Vulnerabilities in the Oracle Database Server from NGSSoftware
* Directory Traversal from Peter Finnigan
* Buffer Overflow in Create Database Link in Oracle8i - 9i from
Alexander Kornbrust

Thanks again to Daniel and Alex.


January 2005
SMTWTFS
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!