Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Sentrigo release a study of how many people apply a CPU"] [Next entry: "UKOUG Unix SIG 22nd Jan and more"]

Oracle release the January 2008 CPU patch



The January 2008 CPU is out. Oracle have released their Oracle Critical Patch Update Advisory - January 2008 advisory. This is the next in the line of quarterly security patches. This patch seems to have turned some sort of corner at least in terms of the number of bugs fixed (26) and also in terms of severity. The fixes this time are not as severe as they have been in the past. There are only 8 database fixes this time which in Oracle terms (recent history) is good progress. Have we turned a corner? - lets see, it could be that we have.

The credits this time include some new names, this is good as it means that new people are investigating Oracle security. Thats good for us all. My name is there this time as well..:-), not new but its been a while since the last time.

There are 6 Application server fixes and one for collaboration suite and 7 for E-Business Suite and 4 PeopleSoft fixes.

I also think its interesting that there is a hint of Oracle working well with the researchers. The advisory credits Esteban for his help in ensuring that the fix is of the highest quality. This is positive!

The patch is also significant for its inclusion of the first 11g database security fix included in a CPU. Also as Amichai said "included a fix for a vulnerability whose function had no effect, as strange as it sounds" in a news post Oracle patch cycle includes first 11g database fix which is interesting if you know why!

There has been 2 Comments posted on this article


January 21st, 2008 at 07:18 pm

Pete Finnigan says:

Here is an interesting note from the readme.html that's probably worth mentioning:

Issue 6: This critical patch update may reload a few packages (for example, the utl_file package). This reinstates all of its default grants, regardless of any revocations made by the end-user.

Workaround: Revoke all grants made by end user for such packages. (ref: OracleMetaLink Note 131752.1.)

This is nothing new, as it was mentioned in Note 390225.1.



January 24th, 2008 at 09:17 am

Pete Finnigan says:

Hi Paul,

Thanks very much for your comment. This is, as you point out not new and is something everyone who hardens a database needs to be aware of that any CPU (or other patch) can in some instances reinstate all the default grants which are inevitably more insecure than your hardened state.

cheers

Pete