[Previous entry: "Nice paper on time based blind SQL"] [Next entry: "Oracle Issues Pile of 51 Security Patches"]
October 2007 Critical Patch Update (CPU) is out
October 16th, 2007 by Pete
Post to del.icio.us
Post to Furl
The latest in the sequence of Oracle critical patch updates - the "Oracle Critical Patch Update - October 2007" is out this evening. The advisory states that there are 51 new security fixes across all products. This is the first CPU that uses the CVSS version 2.0 scoring mechanism / algorithm. The credits go out to the usual bunch of people, including Esteban, David, Alex and Joxean. A new name is Johannes Griel of SEC.
There are 27 fixes for the database itself and of those 5 can be exploited remotely over a network connection without a username and password. These issues alone should be enough for anyone to consider patching as soon as possible. The application server includes 11 fixes of which 7 again can be remotely exploited across a network connection without a username and password. There are 8 new fixes for E-Business Suite and one of those is again remotely exploitable without authentication. OEM has 2 fixes. Peoplesoft and JD Edwards 2 fixes.
What is interesting are the CVSS scores, why would remotely exploitable bugs without authentication get lower scores that those that require a valid connection to the database? presumably because more people have access to authenticated sessions or opprtunity to create those sessions that non-authenticated ones. i.e. thousands of users may have an application account that accesses the database and it may be posisble to exploit via the application interface or a web interface but a much smaller number of people can get direct TNS access to the database?
The number of fixes is not the maximum seen over the period that we have had quarterly patches but its not massively low, 51 fixes is still a lot of security fixes for a company to issue. Is the trend going down or not?
