Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 26 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » April 2008 » Two remotely exploitable without authentication bugs to be fixed

[Previous entry: "Fine Grained network Access Control in 11g"] [Next entry: "Slides from OUGN Norway and RISK 2008 Norway available"]

04/14/2008: "Two remotely exploitable without authentication bugs to be fixed"

Post to del.icio.us   Post to Furl   Digg!

Oracle's pre-patch advisory note for the next Critical Patch Update (CPU) due this Tuesday (15th) states that there are 17 new security fixes for the database, two for Apex and two of which are remotely exploitable without authentication. The advisory....[Read More]

Oracle's pre-patch advisory note for the next Critical Patch Update (CPU) due this Tuesday (15th) states that there are 17 new security fixes for the database, two for Apex and two of which are remotely exploitable without authentication. The advisory states:

"This Critical Patch Update contains 17 new security fixes for the Oracle Database including 2 for Oracle Application Express. Two of these vulnerabilities may be remotely exploited without authentication, i.e. may be exploited over a network without the need for a username and password. None of these fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed."

This, as Scott Spendolini states is confusing as it is unclear if these bugs are the APEX bugs or different bugs. If most CPU releases are anything to go by people had better beware as often exploits are released on sites such as Milw0rm soon after the CPU / patch is released. Where there are remotely exploitable bugs without the need of authentication this is much more serious.

As I said its unclear if these remotely exploitable bugs are APEX or not. If they are then a clear action for anyone to do is to de-install APEX if its not used. This is normal practice in security anyway, reduce the attack surface and ensure that only the features/components needed are installed. One of the new "features" of 11gR1 is the default install of APEX, if someone needs APEX they should install it, it doesnt need to be there by default, especially if there are security bugs in it. Clearly we need to wait for the patch and advisory and judge then. Obviously the advice has to be to patch as soon as possible especially this time because of the remotely exploitable bugs, it would be nice if Oracle would at least hint which component they are in. I guess if it was APEX then the Google hackers could easily find sites to attack!



New Comment
Name:
E-Mail:
Homepage:
Smilies:
smile shocked sad
big grin razz *wink wink* hey baby
angry, grr blush confused
cool crazy cry
sleepy hehe LOL
plain jane rolls eyes satisfied
 

April 2008
SMTWTFS
  12345
6789101112
13141516171819
20212223242526
27282930   

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!