Pete Finnigan's Oracle Security Weblog

Oracle's pre-patch advisory note for the next Critical Patch Update (CPU) due this Tuesday (15th) states that there are 17 new security fixes for the database, two for Apex and two of which are remotely exploitable without authentication. The advisory states:

"This Critical Patch Update contains 17 new security fixes for the Oracle Database including 2 for Oracle Application Express. Two of these vulnerabilities may be remotely exploited without authentication, i.e. may be exploited over a network without the need for a username and password. None of these fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed."

This, as Scott Spendolini states is confusing as it is unclear if these bugs are the APEX bugs or different bugs. If most CPU releases are anything to go by people had better beware as often exploits are released on sites such as Milw0rm soon after the CPU / patch is released. Where there are remotely exploitable bugs without the need of authentication this is much more serious.

As I said its unclear if these remotely exploitable bugs are APEX or not. If they are then a clear action for anyone to do is to de-install APEX if its not used. This is normal practice in security anyway, reduce the attack surface and ensure that only the features/components needed are installed. One of the new "features" of 11gR1 is the default install of APEX, if someone needs APEX they should install it, it doesnt need to be there by default, especially if there are security bugs in it. Clearly we need to wait for the patch and advisory and judge then. Obviously the advice has to be to patch as soon as possible especially this time because of the remotely exploitable bugs, it would be nice if Oracle would at least hint which component they are in. I guess if it was APEX then the Google hackers could easily find sites to attack!