Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 75 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » October 2007 » Oracle Issues Pile of 51 Security Patches

[Previous entry: "October 2007 Critical Patch Update (CPU) is out"] [Next entry: "Oracle plugs critical database, application flaws"]

Oracle Issues Pile of 51 Security Patches

October 17th, 2007 by Pete

Oracle Issues Pile of 51 Security Patches - By Lisa Vaas

"Oracle releases a long list of patches and scores them in a manner that some say downplays the true risks.

Oracle on Oct. 16 released 51 security fixes, including 27 patches for the beating heart of so many enterprises: the Oracle database."

Interesting article by Lisa that confirms my suspicions here last night that the scores seem low for most of the reported fixes and particularly for the remotely exploitable bugs that do not require authentication.

There has been 2 Comments posted on this article

October 17th, 2007 at 08:37 pm

Stephen Kost says:

The problem with the Oracle CVSS scores has everything to do with CVSS and not much about Oracle manipulating the scores. To achieve a high CVSS base metric, root access needs to be gained, which is difficult to do against a properly configured Oracle database. What is not taken into account with the score is that the entire database or application can be compromised. The CVSS focus is really on servers and routers rather than databases and applications. This is why Oracle uses the Partial+ rating. This has been an issue ever since Oracle began using CVSS. From a year-ago, you can read my blog post on the topic --

October 18th, 2007 at 08:59 am

Pete says:

Hi Steve,

Thanks for your comment. I was not meaning to suggest that Oracle manipulated the scores i was making a dig at the method used, perhaps I shoulod have explained better. Thanks for the link to your blog entry, its interesting. In the case of Oracle using CVSS its a case of the customers being fully aware of what the realistic maximums are and what they mean. The issue for me is that for some thief to steal say credit card data is a full compromise of the business and root access is not needed. Customres of Oracle need to understand that a lower score is in their case a full compromise.

thanks again for the link



October 2007

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!