Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "SQL Injection tools"] [Next entry: "nCipher provides encryption key management for TDE in Oracle 11g"]

Oracle Patch Tuesday Is Coming



Well its been a while since my last blog post, it has been a hectic few weeks workwise, so little time to clear emails, blogs and all those things I would like to do but cannot because work gets in my way.. sad

The next in the line of the Critical Patch Updates (CPU) July 2008 for the Oracle product stack is due next Tuesday, the 15th of July. The pre-release announcement was released last Tuesday, titled "Oracle Critical Patch Update Pre-Release Announcement - July 2008" and it details a potential tally of 45 fixes across a very wide range of products. The database layer is my particular sphere of interest and there are 11 fixes in the database, this time none that can be remotely expolited without a password, this doesn't imply or deny if any are remotely exploitable with a password!. The highest CVSS score is 6.5 which is quite high considering the methods used to calculate it. The interesting ones are "authentication" as that implies a fault in the authentication mechanism, presumably from the above statement that is not expliotable until after the authentication completes, i.e. you need a password. Core RDBMS sounds interesting as does database vault. The others could in most cases be PL/SQL based issues, we will need to wait and see next week.

There are a whole raft of news reports about the same pre-release document mostly all summarising whats in it. You can query Google for "Oracle Security" in the news and read them.