News

SearchSecurity: Symantec threat report under the microscope

"Stephen Kost, CTO of Chicago-based security firm Integrigy Corp., wrote in his blog that while he's usually not in a position to defend Oracle's patching process, he did think Symantec overshot the database giant's vulnerability count."

SearchSecurity - Oracle fixes 101 flaws

Overall, [Integrigy] said, the number of flaws this quarter is high compared to previous CPUs, but includes a similar number of database and application server vulnerabilities. "The spike is due to 35 vulnerabilities in Oracle Application Express (formerly HTMLDB)," the company said.

Investor's Business Daily - Is There A Better Way To Protect Your Data?

"Other firms with in-depth database scanning software are privately-held Integrigy, based in Chicago, and ..."

Silicon.com - Oracle issues product security fix

"Oracle has issued an upgrade to its E-Business Suite 11i diagnostics module containing a number of security fixes, according to an alert from applications security firm Integrigy. In releasing the upgrade, Oracle took an usual move by alerting its users about the security patches, according to Integrigy's advisory. Historically, the software maker has released product upgrades but not disclosed whether they included security fixes, Integrigy noted."

SC Magazine - Suprise business suite fix from Oracle

The fix was intended for Oracle Diagnostics, a troubleshooting feature of Oracle E-Business Suite 11i, "that allows system administrators and other users to execute technical and functional tests on the configuration and setup of the application," according to analysis by the Integrigy Corporation.

Security Pro - Oracle’s Early Security Patch Release: 11i Update

"On Friday, security-consulting firm Integrigy published an advisory regarding the vulnerabilities including high risk vulnerabilities in multiple areas. When 11i was originally designed, it designed to help IT admins to conduct tests."

ZDNet - Oracle update fixes security flaws

"A number of high-risk SQL injection and parameter manipulation security vulnerabilities in the Oracle E-Business Suite are corrected by the security patches released" Tuesday, said security company Integrigy, which produces tools for a number of enterprise applications from companies such as Oracle and PeopleSoft. "Customers with Internet-facing implementations of the Oracle E-Business Suite should consider applying these patches as soon as possible."

InformationWeek - Oracle Patches E-Business Security Flaws Ahead Of Schedule

The patch was brought to light through a report issued by Integrigy Corp., a provider of application security software for Oracle products, one day after Oracle announced the problem. "There exist a number of high-risk security vulnerabilities in the Oracle Diagnostics Web pages and Java classes," the Integrigy report says. "The most significant issue with the Oracle Diagnostics is that some of the diagnostics can be executed without any authentication and it is possible to configure the diagnostics to be unrestricted." The patch also fixes several permission issues and SQL injection vulnerabilities.

ZDNet - Oracle patches 11i security flaws

Oracle has issued an upgrade to its E-Business Suite 11i diagnostics module containing a number of the security fixes, according to applications security firm Integrigy. In releasing the upgrade, Oracle made an usual move by alerting its users about the security patches, according to Integrigy's advisory.

CNET - Oracle issues security patch

Oracle has issued an upgrade to its E-Business Suite 11i diagnostics module containing a number of the security fixes, according to an alert from applications security firm Integrigy. "The significant [security] issue is [that] some diagnostics can be executed without any authentication, and it is possible to configure the diagnostics to be unrestricted," according to the Integrigy report.

NetworkWorld - Oracle publishes out-of-cycle security fix

Oracle executives could not immediately be reached for comment on the update, but the company is advising customers to apply the patch "due to the number of security fixes included," according to enterprise software consulting firm Integrigy. The problems relate to the Oracle Diagnostics Web pages and to the Java classes included with the software, which could be inappropriately used by an attacker. "The most significant issue with the Oracle diagnostics is that some of the diagnostics can be executed without any authentication," Integrigy said in an analysis of the patch.

SearchSecurity - Admins grapple with latest Oracle patch puzzle

Another application security firm, Chicago-based Integrigy Corp., issued a similar warning regarding the Oracle E-Business Suite. "Customers with Internet-facing implementations of the Oracle E-Business Suite are at most risk and should consider applying these patches quickly," it said in an advisory. "The Oracle E-Business Suite patches involved with this Critical Patch Update (CPU) are much more complex as compared to the previous CPUs, and will require additional functional testing in our opinion. In addition, the [patches] are not cumulative. Therefore, all the patches specified in this CPU and previous CPUs must be applied."

Oracle Magazine - Middle Matters

"During an extensive security audit last year, security consultancy Integrigy agreed. Integrigy told us after a comprehensive security audit that we're a step ahead of everybody else because we don't have a lot of interfaces built to legacy systems and a lot of conversions across boxes that are speaking to each other," says Cerny. "Any time you upgrade, integrations potentially become vulnerable to security issues. One of the main points of Oracle Fusion Middleware, and Oracle in general, is to ensure that it all upgrades smoothly."

InternetNews - Oracle Plugs Three Security Holes

"That hole, discovered by researchers Integrigy, affects the Oracle E-Business Suite 11i and Oracle Applications 11.x through 11i. The company said the problem existed in the "aoljtest.jsp" script which is part of the OA Framework Test Suite. The script contains multiple vulnerabilities that could allow malicious people to see system information, including the guest users password and application server security key."

InternetNews - Oracle Patch Day: Critical Flaws Fixed

"Research firm Integrigy, which helped Oracle identify some of the vulnerabilities, also issued a separate alert with a warning that they "can be exploited in all Oracle Applications implementations."

CRM Buyer - Oracle Flaw Underscores Enterprise Software Security Risks

"Stephen Kost, chief technology officer at Integrigy, a security company that focuses on security for large enterprise, mission-critical applications, exposed the weakness."

CNet - Another 'critical' flaw, this time from Oracle

"The vulnerability was discovered by Stephen Kost, chief technology officer for Integrigy, a company focused on creating software to secure critical corporate applications. Integrigy's own advisory jibed with Oracle's on the ease with which the flaw could be exploited."

eWeek - Critical Flaw Uncovered in Oracle E-Business Suite, Applications

"The vulnerabilities were uncovered by Stephen Kost from the security firm Integrigy Corp. An alert put out by Integrigy last week described the flaw as being exploitable by a remote user who can send a specially crafted URL to a Web server via a browser."

TechWorld - Oracle E-Business hopelessly compromised by new hole

"Integrigy has detected multiple, highly critical vulnerabilities in Oracle E-Business Suite and Oracle Applications. Immediate patching is the only answer since, as Oracle itself puts it, “any user with browser access and specialised knowledge can exploit these vulnerabilities.” The vulnerabilities discovered by the security company's Stephen Kost affect E-Business Suite release 11i and all releases from 11.5.1 through 11.5.8, plus Oracle Applications 11.0, all releases."

SearchOracle - Oracle: Users should patch flaws ASAP

"The three vulnerabilities were discovered more than a month ago by Stephen Kost of Integrigy Corp., a Chicago-based security consulting company specializing in customer relationship management (CRM) applications."