Since several new Oracle exploits were published this week, I thought it would be a good time to provide some background on exploits.

A topic of conversation whenever discussing Oracle security vulnerabilities is the complexity of exploiting such vulnerabilities.  Most Oracle professionals only have a cursory understanding of buffer overflows, SQL injection, cross site scripting (XSS), privilege escalation, etc., thus believe it is difficult to exploit many of the security bugs fixed in Oracle Critical Patch Updates.  Most Oracle vulnerabilities are very difficult to exploit solely based on the information delivered by Oracle.  Significant research, deep knowledge of the Oracle product, dissection of patches, and time are required to develop a new exploit.  Although, after developing a few exploits, the process becomes much easier and an experienced professional may be able to develop a fully functional exploit in a matter of hours.

However, all is not lost for the newbie, novice attacker.  Fortunately for those looking to reap ill-gotten fortunes from security-lax corporations, security researches routinely publish detailed exploit code for at least a handful of the security bugs fixed each quarter.  Any Oracle developer could easily execute almost all these published exploits.  With even limited knowledge of SQL and Oracle, possibly an accounts payables clerk who did a little homework could exploit some of these vulnerabilities.  (For those of you who think the accounts payable clerk example is far fetched should read the Secret Service's Banking and Financial Sector "Insider Threat Study".)

The published exploit code is not on some obscure web site, rather it is frequently published on a number of reputable web sites and popular mailing lists.  Simple Google searches will have numerous hits on phrases like 'oracle exploits'.  A recent trend has been to even incorporate evasion techniques into the exploit code, just in case an organization has deployed a database intrusion prevention system.

Two well organized sites with many published exploits are -

• Red Database Security

• milw0rm

Both these sites are worth a visit to understand how simple it is to use many of these published exploits and how important it is to properly protect databases, application servers, and applications.

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, January 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, January 17 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the January 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=1/1/2008

Oracle released the thirteenth Critical Patch Update (CPU) today.  This quarter is the same as the previous twelve with many patches and long hours in order to get all the security patches applied in a timely manner.  17 of the 27 vulnerabilities fixed impact Oracle E-Business Suite 11i.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

There is a significant Oracle Jinitiator patch that fixes a previously discussed vulnerability.  The key part about upgrading Jinitiator is that all previous versions must be removed from the client PC since every new version of Jinitiator is a unique install and does not remove the previous version.

For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.4 patch.

This quarter does have a lower than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority. 

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3 for the database and RUP4, RUP5, or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - January 2008 - E-Business Suite Impact

Oracle Critical Patch Update - January 2008 - Version Support Matrix

I will be presenting an OAUG eLearning Community Thursdays session this Thursday January 17th giving additional information on the CPU and its impact on your Oracle Applications implementation.  OAUG members can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007

Here is a brief analysis of the pre-release announcement for the upcoming January 2008 Oracle Critical Patch Update (CPU) -

• Overall, 27 security vulnerabilities are fixed in this CPU, which is the lowest number of bugs fixed since the original CPU released in January 2005 that fixed 25 bugs (Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for Oracle 11g (11.1.0.6).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3, 11.1.0.6
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
• Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the October 2007 CPU note (Metalink Note ID 455287.1), patches for 10.1.0.5 on several platforms will be available only upon request for the January 2008 CPU.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
  
  

Oracle Database

• There are 8 database vulnerabilities and none are remotely exploitable.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• According to the October 2007 CPU notes, there is only limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the January 2008 CPU: AIX 5L, HP Itanium, HP/UX, IBM zLinux, Linux x86-64, Linux Itanium, and Linux on Power.  Key missing platforms include all Solaris and Windows operating systems.

Oracle Application Server

• 5 of the 6 vulnerabilities are remotely exploitable without authentication, although none impact the Oracle HTTP Server (Apache).
  
• A previously disclosed Jinitiator bug is fixed and the key to fixing this bug is removal of previous Jinitiator versions from all client PCs as well as upgrading Jinitiator on the application servers.  Whenever possible, Jinitiator should be upgraded to at least 1.3.1.29 or replaced with the Sun Java Plug-in.
  

Oracle E-Business Suite 11i and R12

• 3 of the 7 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework, so all implementations should consider most of these patches as critical.
  
• 11.5.8 is no longer supported, therefore, there is no CPU support.  April 2008 will be the last CPU for 11.5.9.
  

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.

As part of the Oracle quarterly Critical Patch Update (CPU) process, a new reminder e-mail of the upcoming CPU is being sent to all individuals who signed up for e-mail notifications on the CPU web page.  This e-mail is only a reminder that the next CPU will be released on January 15, 2008 (sometime after noon Pacific Time).

What is missing from the e-mail is that on Thursday January 10th, Oracle will release a pre-announcement of the upcoming CPU with some details as to the number of security bugs fixed and the maximum severity of the bugs fixed for each product set.  This pre-announcement does provide limited insight, but generally won't change many organizations plans unless there is something dramatic and out of the ordinary fixed.  It is most useful for Oracle Application Server and Oracle E-Business Suite customers as there is variability to the components fixed and a specific CPU may not impact security critical components like Single-Signon or EBS Internet modules.

(Thanks to Randy for pointing out this e-mail)