Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 53 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » October 2009 » Oracle's October pre-cpu advisory is released

[Previous entry: "OWASP Leeds meeting slides available"] [Next entry: "Health Data Theft"]

Oracle's October pre-cpu advisory is released

October 16th, 2009 by Pete

Oracles usual pre-release for the CPU (Critical Patch Update) for October has been released. The pre-release document is usually released the Thursday before the CPU; the CPU is due out next Tuesday the 20th October. The CPU should have been out this Tuesday though but Oracle delayed this CPU because of Open World.

The CPU contains 38 security fixes (16 for the database) but if we consider Oracles internal fixing rate (i.e. security bugs that are not individually recognised on the advisory) may actually indicate that could be 123 silently fixed bugs (who knows!).

The bigger worry is that for this CPU 16 bugs are fixed in the database, one is for the client only and 6 are exploitable remotely without a username and password. The highest CVSS score is 10.0 for Windows and 7.5 for other platforms.

The cynical view when Oracle delayed the release of the CPU before Open World to allow DBA's to attend without worrying about applying patches was that there was bad news coming. Well the number of bug fixes is not astronomical but the news is bad, 6 remotely exploitable bugs without authenication and a CVSS of 10.0 is not exactly good news. The pre-release is now issued after Open World with this news.

October 2009

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!