Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
The latest and greatest Critical Patch Update from Oracle was released last night along with the usual advisory. I talked about the pre-release note a few days ago here in a post titled "Oracle's October pre-cpu advisory is released". Oracles actual advisory is here. There is not much more to say now than there was for the pre-release note except that two things of note were in the advisory. The first is that there is a nice array of "names" in terms of number of people. There are just 38 bugs fixed over the whole array of products so there is a good cross reference of people to bugs. What does this mean? new people looking at Oracle security or just new people because some of the products are new to the process? remember the post "How many Security bugs are in the Oracle database software product set"? this also means that the number of actual bugs is bigger. All this sums up to good positive steps on Oracles product security; bugs are being tackled, people are interested in helping Oracle test their software..
The second thing of note for me is that is 6 bugs in the database with a CVSS of 10.0 on Windows and 7.5 on other OS's and also the problem that they are remotely exploitable without username/password. Anyway the interesting thing is the advice for workarounds; on average Oracle do not usually give workaround advice. In this case they say remove privileges or ability to access on the affected packages and also to restrict network protocols. Of course the primary advice is to apply the CPU.
Also Paul has released a new paper "Create table to OSDBA with reverse shell". Paul explains the how in the paper.
There has been 3 Comments posted on this article
Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.
PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.
PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.
Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation