http://www.integrigy.com daily 1 2006-07-17T03:20:06Z http://www.integrigy.com/security-resources/analysis/Integrigy-Oracle-CPU-April-2008-Analysis.pdf An analysis of the impact to Oracle E-Business Suite implementations for the April 2008 Oracle Critical Patch Update. Each analysis includes information on the vulnerabilities disclosed by Oracle, a review of the patches, and suggestions on when and how to apply the patches. No publisher skost Oracle E-Business Suite Oracle Critical Patch Update 2008-04-23T21:36:04Z File http://www.integrigy.com/security-resources/analysis/Oracle-CPU-Support-Matrix-April-2008.pdf The product versions supported by Oracle’s Critical Patch Updates (CPU) are a subset of the certified versions, thus a certified version may not be supported by the latest CPU. This document highlights the differences between certified versions and April 2008 CPU supported versions. No publisher skost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite 2008-04-23T21:33:47Z File http://www.integrigy.com/security-resources/whitepapers/IOUG_Real-life_Database_Security_Mistakes.pdf IOUG COLLABORATE 08 Presentation - You did everything by the book, followed the database security checklists, and implemented security best practices, but one day you find significant security issues in one of your databases. How did this happen? After auditing hundreds of databases, I have compiled a list of common database security mistakes and potentials causes of each mistake. Learn from other's mistakes and what you can do to prevent these mistakes from happening on your watch. Common database security mistakes can impact every aspect of the Oracle Database and include reappearing default passwords, misapplied Critical Patch Update security patches, and wayward privileges and grants. Time is the chief enemy of database security as many security mistakes are innocently introduced over time, so security needs to be a process rather than a one-time task. No publisher skost COLLABORATE Oracle Database 2008-04-18T18:25:31Z File http://www.integrigy.com/security-resources/whitepapers/IOUG_Oracle_Critical_Patch_Updates_Unwrapped.pdf IOUG COLLABORATE 08 Presentation - Ever wonder what is being fixed in an Oracle Critical Patch Update? As a follow-up to the 2007 IOUG SELECT Journal article "Oracle Critical Patch Updates: Common Questions", this session will provide an inside look at the Critical Patch Updates (CPU) and the security bugs fixed by the CPU patches. Understand what are buffer overflows and SQL injection attacks by seeing how these types of security bugs compromise the security of the database. Learn about the complexities of the CPU patches including certification issues, patch differences across operating systems, and why the latest database version may have not yet released security fixes. Best practices for installing and testing CPU patches will be discussed. No publisher skost COLLABORATE Oracle Database Oracle Critical Patch Update 2008-04-18T18:23:09Z File http://www.integrigy.com/security-resources/whitepapers/OAUG_Oracle_Critical_Patch_Updates_Insight_and_Understanding.pdf OAUG COLLABORATE 08 Presentation - Security bugs in Oracle Applications are fixed by Oracle on a quarterly basis with Critical Patch Updates (CPU). The security researcher who has discovered many of these bugs will provide insight into the types of security issues fixed by these patches. Understand what are buffer overflows and SQL injection attacks by seeing how these types of security bugs compromise the security of Oracle Applications. Best practices for installing and testing CPU patches will be discussed. No publisher skost COLLABORATE Oracle E-Business Suite Oracle Critical Patch Update 2008-04-18T18:22:48Z File http://www.integrigy.com/security-resources/analysis/Integrigy-Oracle-CPU-January-2008-Analysis.pdf An analysis of the impact to Oracle E-Business Suite implementations for the January 2008 Oracle Critical Patch Update. Each analysis includes information on the vulnerabilities disclosed by Oracle, a review of the patches, and suggestions on when and how to apply the patches. No publisher skost Oracle E-Business Suite Oracle Critical Patch Update 2008-01-16T04:53:36Z File http://www.integrigy.com/security-resources/analysis/Oracle-CPU-Support-Matrix-January-2008.pdf The product versions supported by Oracle’s Critical Patch Updates (CPU) are a subset of the certified versions, thus a certified version may not be supported by the latest CPU. This document highlights the differences between certified versions and January 2008 CPU supported versions. No publisher skost Oracle E-Business Suite Oracle Critical Patch Update 2008-01-16T04:53:42Z File http://www.integrigy.com/security-resources/analysis/Integrigy-Oracle-CPU-October-2007-Analysis.pdf An analysis of the impact to Oracle E-Business Suite implementations for the October 2007 Oracle Critical Patch Update. Each analysis includes information on the vulnerabilities disclosed by Oracle, a review of the patches, and suggestions on when and how to apply the patches. No publisher ploneadmin Oracle E-Business Suite Oracle Critical Patch Update 2007-10-17T18:01:45Z File http://www.integrigy.com/security-resources/analysis/Oracle-CPU-Support-Matrix-October-2007.pdf The product versions supported by Oracle’s Critical Patch Updates (CPU) are a subset of the certified versions, thus a certified version may not be supported by the latest CPU. This document highlights the differences between certified versions and October 2007 CPU supported versions. No publisher ploneadmin Oracle Database Oracle Critical Patch Update Oracle E-Business Suite 2007-10-17T18:00:09Z File http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jinitiator-vulnerability.pdf US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps. This analysis provides information on the true scope of affected Jinitiator versions, comprehensive and recommended remediation steps, and an overview of the risks associated with this vulnerability. The objective of this analysis is to assist IT security professionals, IT managers, and database administrators in assessing the impact on their Oracle Forms implementations and the risks associated with this vulnerability, especially since Jinitiator is deployed in many large organizations and as part of mission critical applications like the Oracle E-Business Suite, Oracle Clinical, and SunGard Banner. No publisher ploneadmin Oracle Risk: High Buffer Overflow 2007-09-11T20:32:47Z File http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_July_2007_Analysis.pdf An analysis of the impact to Oracle E-Business Suite implementations for the July 2007 Oracle Critical Patch Update. Each analysis includes information on the vulnerabilities disclosed by Oracle, a review of the patches, and suggestions on when and how to apply the patches. No publisher ploneadmin Oracle E-Business Suite Oracle Critical Patch Update 2007-07-18T20:11:39Z File http://www.integrigy.com/security-resources/analysis/Oracle-CPU-Support-Matrix-July-2007.pdf The product versions supported by Oracle’s Critical Patch Updates (CPU) are a subset of the certified versions, thus a certified version may not be supported by the latest CPU. This document highlights the differences between certified versions and July 2007 CPU supported versions. No publisher ploneadmin Oracle E-Business Suite Oracle Critical Patch Update 2007-07-18T20:13:06Z File http://www.integrigy.com/security-resources/analysis/Integrigy_Oracle_CPU_April_2007_Analysis.pdf An analysis of the impact to Oracle E-Business Suite implementations for the April 2007 Oracle Critical Patch Update. Each analysis includes information on the vulnerabilities disclosed by Oracle, a review of the patches, and suggestions on when and how to apply the patches. No publisher skost Oracle E-Business Suite Oracle Critical Patch Update 2007-04-19T02:56:18Z File http://www.integrigy.com/security-resources/analysis/Oracle-CPU-Support-Matrix-April-2007.pdf The product versions supported by Oracle’s Critical Patch Updates (CPU) are a subset of the certified versions, thus a certified version may not be supported by the latest CPU. This document highlights the differences between certified versions and April 2007 CPU supported versions. No publisher skost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite 2007-04-18T14:53:18Z File http://www.integrigy.com/security-resources/advisories/Integrigy_Encrypted_Password_Disclosure.pdf An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS). The attacker must have direct SQL*Net access to the database (e.g., SQL*Plus) and to exploit the vulnerability neither of the Oracle Applications security features "Managed SQL*Net Access" and "Server Security" can be enabled. The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access". No publisher ploneadmin Oracle E-Business Suite 2007-04-12T13:37:35Z File