Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 19 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » January 2008 » Oracle release the January 2008 CPU patch

[Previous entry: "Sentrigo release a study of how many people apply a CPU"] [Next entry: "UKOUG Unix SIG 22nd Jan and more"]

Oracle release the January 2008 CPU patch

January 16th, 2008 by Pete

Post to del.icio.us   Post to Furl   Digg!

The January 2008 CPU is out. Oracle have released their Oracle Critical Patch Update Advisory - January 2008 advisory. This is the next in the line of quarterly security patches. This patch seems to have turned some sort of corner at least in terms of the number of bugs fixed (26) and also in terms of severity. The fixes this time are not as severe as they have been in the past. There are only 8 database fixes this time which in Oracle terms (recent history) is good progress. Have we turned a corner? - lets see, it could be that we have.

The credits this time include some new names, this is good as it means that new people are investigating Oracle security. Thats good for us all. My name is there this time as well..:-), not new but its been a while since the last time.

There are 6 Application server fixes and one for collaboration suite and 7 for E-Business Suite and 4 PeopleSoft fixes.

I also think its interesting that there is a hint of Oracle working well with the researchers. The advisory credits Esteban for his help in ensuring that the fix is of the highest quality. This is positive!

The patch is also significant for its inclusion of the first 11g database security fix included in a CPU. Also as Amichai said "included a fix for a vulnerability whose function had no effect, as strange as it sounds" in a news post Oracle patch cycle includes first 11g database fix which is interesting if you know why!

There has been 2 Comments posted on this article


January 21st, 2008 at 07:18 pm

Paul Drake says:

Here is an interesting note from the readme.html that's probably worth mentioning:

Issue 6: This critical patch update may reload a few packages (for example, the utl_file package). This reinstates all of its default grants, regardless of any revocations made by the end-user.

Workaround: Revoke all grants made by end user for such packages. (ref: OracleMetaLink Note 131752.1.)

This is nothing new, as it was mentioned in Note 390225.1.



January 24th, 2008 at 09:17 am

Pete Finnigan says:

Hi Paul,

Thanks very much for your comment. This is, as you point out not new and is something everyone who hardens a database needs to be aware of that any CPU (or other patch) can in some instances reinstate all the default grants which are inevitably more insecure than your hardened state.

cheers

Pete



January 2008
SMTWTFS
  12345
6789101112
13141516171819
20212223242526
2728293031  

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!