Entries For: 2010
- July (3)
- May (1)
- April (1)
- March (1)
- January (1)
July 28, 2010
Upcoming Webinar: Oracle Critical Patch Update July 2010 Database Impact
Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for this webinar.
Thursday, July 29, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
- A review of the security vulnerabilities fixed in this CPU,
- An analysis of the required CPU patches,
- A discussion of patching including CPUs vs. PSUs.
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for this webinar.
Categories:
July 11, 2010
Oracle Critical Patch Update July 2010 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2010 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 38 Oracle security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
- The Oracle product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
- Application Server = 10.1.2.3.0
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU is 4 of 6 Oracle Database security vulnerabilities are remotely exploitable without authentication. It is rare to have a single remotely exploitable without authentication vulnerability in the database. Most likely these 4 vulnerabilities are in the Listener, Net Foundation Layer, Network Layer, and/or APEX Application Builder. If the remotely exploitable vulnerabilities are in the Listener component, then this could only be a denial of service vulnerabilities.
- There are no major version support changes in for this CPU.
- Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2010 CPU E-Business Suite Impact Webinar Thursday, July 22, 2pm ET and (2) Oracle July 2010 CPU Oracle Database Impact Webinar Thursday, July 29, 2pm ET.
Oracle Database
- There are 6 database vulnerabilities and four are remotely exploitable without authentication.
- Since at least one database vulnerability has a CVSS 2.0 metric of 7.8 (practical maximum for a database vulnerability), this is a fairly important CPU. Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
- There are seven new Oracle Application Server vulnerabilities, five of which are remotely exploitable without authentication. For Oracle Application Server implementations, there is only one vulnerability in the Application Server Control. Usually, vulnerabilities in the control utilities are only locally exploitable and require a local operating system account to exploit.
Oracle E-Business Suite 11i and R12
- There are 7 new Oracle E-Business Suite 11i and R12 vulnerabilities, five of which are remotely exploitable without authentication.
- The vulnerabilities are in the Oracle Advanced Product Catalog, Oracle Applications Framework (OAF), Oracle Applications Manager, and Oracle Knowledge Management. Of most interest will be the vulnerabilities in the Oracle Applications Framework (OAF) and these might exploitable in externally accessible web pages.
Planning Impact
- We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in the Oracle Applications Framework to determine if these pages are blocked by the URL firewall. If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.
July 09, 2010
Upcoming Webinars: Oracle Critical Patch Update July 2010
Integrigy's CTO, Stephen Kost, will be presenting a series of webinars on Oracle's Critical Patch Update for July 2010.
Oracle July 2010 CPU - Oracle E-business Suite Impact
Thursday, July 22, 2:00pm - 3:00pm EDT
This quarterly eLearning session will focus on the July 2010 CPU and the impact on E-Business Suite environments.
Topics will include;
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for the Oracle E-Business Suite webinar.
Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for the Oracle Database webinar.
Oracle July 2010 CPU - Oracle E-business Suite Impact
Thursday, July 22, 2:00pm - 3:00pm EDT
This quarterly eLearning session will focus on the July 2010 CPU and the impact on E-Business Suite environments.
Topics will include;
- a review of the security vulnerabilities fixed in the CPU,
- an analysis of the required CPU patches,
- a discussion of a high-level patch strategy.
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for the Oracle E-Business Suite webinar.
Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
- A review of the security vulnerabilities fixed in this CPU,
- An analysis of the required CPU patches,
- A discussion of patching including CPUs vs. PSUs.
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for the Oracle Database webinar.
May 25, 2010
Upcoming IOUG Webinar - A Journey Through Enterprise Database Security for DBAs
Integrigy's CTO, Stephen Kost, will be presenting an Independent Oracle User's Group (IOUG) educational webinar as part of IOUG's Database Security Technical Education Series.
A Journey Through Enterprise Database Security for DBAs
Stephen Kost, Integrigy
Wednesday, May 26, 1:00pm - 2:00pm CT
This presentation is intended for Database Administrators. It will detail the enterprise database security requirements, regulatory requirements and monitoring of databases.
Click here to register for the webinar.
The webinar is free for IOUG Full Members and $49 for Associate Members and Non-members.
A Journey Through Enterprise Database Security for DBAs
Stephen Kost, Integrigy
Wednesday, May 26, 1:00pm - 2:00pm CT
This presentation is intended for Database Administrators. It will detail the enterprise database security requirements, regulatory requirements and monitoring of databases.
Click here to register for the webinar.
The webinar is free for IOUG Full Members and $49 for Associate Members and Non-members.
Categories:
April 15, 2010
Integrigy Oracle CPU Virtual Session Live from COLLABORATE 10
For those of you unable to attend the OAUG/IOUG COLLABORATE 10 User Conference in Las Vegas next week, the conference is offering a virtual experience of the conference. There will be 41 sessions available via webinar live from Las Vegas. Integrigy is pleased to announce that the following session is included in the roster of Plug-in to Vegas virtual sessions -
Oracle Critical Patch Updates Unwrapped
Session #330
Tuesday, April 20, 2010
2:00pm - 3:00pm
Oracle Critical Patch Updates Unwrapped
Session #330
Tuesday, April 20, 2010
2:00pm - 3:00pm
Categories:
March 30, 2010
Integrigy at COLLABORATE 10
For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. COLLABORATE 10 is Sunday, April 18, 2010 through Thursday, April 22, 2010 in Las Vegas. This year there will be over 1,000 technical sessions covering virtually every Oracle product.
If you are attending and would like to chat about the latest developments in Oracle security or discuss specific security challenges you might be facing, drop me a note and we can arrange to meet.
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions on securing Oracle products and participating on two panels.
Leveraging Oracle Database Security Technologies with Oracle E-Business Suite
Session #4556
Monday, April 19, 2010
10:45am - 11:45am
Panel: Governance, Risk & Compliance SIG Meeting
Session #4699
Tuesday, April 20, 2010
8:00am - 9:00am
Panel: Securing the E-Business Suite - Expert And Best Practices Panel
Session #3676
Wednesday, April 21, 2010
9:15am - 10:15am
Oracle Critical Patch Updates Unwrapped
Session #330
Tuesday, April 20, 2010
2:00pm - 3:00pm
Is Your Auditing Failing You?
Session #600
Thursday, April 22, 2010
11:00am - 12:00pm
(Note: the time for this presentation has changed)
See you in Las Vegas!
If you are attending and would like to chat about the latest developments in Oracle security or discuss specific security challenges you might be facing, drop me a note and we can arrange to meet.
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions on securing Oracle products and participating on two panels.
Oracle Applications Users Group (OAUG)
Leveraging Oracle Database Security Technologies with Oracle E-Business Suite
Session #4556
Monday, April 19, 2010
10:45am - 11:45am
Panel: Governance, Risk & Compliance SIG Meeting
Session #4699
Tuesday, April 20, 2010
8:00am - 9:00am
Panel: Securing the E-Business Suite - Expert And Best Practices Panel
Session #3676
Wednesday, April 21, 2010
9:15am - 10:15am
Independent Oracle Users Group (IOUG)
Oracle Critical Patch Updates Unwrapped
Session #330
Tuesday, April 20, 2010
2:00pm - 3:00pm
Is Your Auditing Failing You?
Session #600
Thursday, April 22, 2010
11:00am - 12:00pm
(Note: the time for this presentation has changed)
See you in Las Vegas!
Categories:
January 08, 2010
Oracle Critical Patch Update January 2010 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming January 2010 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 24 security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU are 2 remotely exploitable without authentication vulnerabilities in the Oracle Database. It is rare to have a single remotely exploitable without authentication vulnerability in the database. Most likely these 2 vulnerabilities are in the Listener, APEX Application Builder, and/or Secure Backup. If the remotely exploitable vulnerabilities are in the Listener component, then this could be a significant and high priority CPU.
- There are no major version support changes in for this CPU.
Oracle Database
- There are 10 database vulnerabilities and two are remotely exploitable without authentication.
- Since at least one database vulnerability has a CVSS 2.0 metric of 10.0, this is a strong indication there a buffer overflow in the Listener component that is remotely exploitable without authentication. Most likely, the CVSS metric for Windows will be 10.0 and will be 7.5 for Unix/Linux (even though you will be able to fully compromise the database).
- There are three new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication. The affected components are Access Manager Identify Server and Oracle Containers for J2EE. With maximum CVSS 2.0 metric of 5.0, these could be cross-site scripting (XSS) vulnerabilities based on the scores and components.
Oracle E-Business Suite 11i and R12
- There are 3 new Oracle E-Business Suite 11i and R12 vulnerabilities, all of which are remotely exploitable without authentication.
- The vulnerabilities are in the CRM Technical Foundation (mobile), AOL, and HRMS. Of most interest will be if the AOL vulnerability is in an externally accessible web page.
Planning Impact
- The criticality of this quarter's CPU is in-line with previous CPUs.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Subscribe via RSS
Add to Google
Add to Yahoo!
Other Services