Here is a brief analysis of the pre-release announcement for the upcoming October 2007 Oracle Critical Patch Update (CPU) - Overall, 51 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous...

US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the...

Oracle has released a Metalink Note on the proper procedure for setting passwords for the database and FNDFS listeners.  It is important to note that there are two listeners in an Oracle Applications 11i implementation.  The first is the...

Oracle has updated the white paper "Best Practices for Securing the E-Business Suite 11i" Metalink Note ID 189367.1 to version 3.0.5.  The major changes include - For 11.5.10.x, inclusion of a script to disable unnecessary...

Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous ten with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately like last...

This quarters Oracle Critical Patch Update (CPU) will be released on Tuesday, July 17th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday...

Here is a brief analysis of the pre-release announcement for the upcoming July 2007 Critical Patch Update (CPU) - Overall, 46 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Apr-07=...

Network security expert Richard Bejtlich recently posted some interesting comments regarding Oracle Security on his blog TaoSecurity. "Speaking of database security, I got a chance to see Alexander Kornbrust of Red-Database-Security GmbH talk...

Oracle has released the latest ATG rollup RUP5 (official name is 11i.ATG_PF.H.delta.5).  From a security perspective, RUP5 is important in three regards - The ATG rollups contain a number of security enhancements RUP5 incorporates ATG...

Oracle has released the Oracle 9.2.0.8 April 2007 Critical Patch Update (CPU) Windows 32-bit patch much ahead of scheduled April 30th date.  Media reports (here) were critical of Oracle's failure to release this patch in a timely manner due to...

Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous nine with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately, this...

Integrigy has released an advisory regarding an undisclosed security vulnerability in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn...

Here is a brief analysis of the pre-release announcement for the upcoming April 2007 Critical Patch Update (CPU) - Overall, 37 security vulnerabilities are fixed in this CPU, which is much lower than average but in the range of previous CPUs (...

We have updated our Oracle Applications 11i Security Quick Reference to include new information and for 11.5.10 CU2.  The Quick Reference is a simple two-pager meant to highlight some key security areas and settings.Oracle Applications 11i...

Usually, I am not in the position to defend Oracle on the number of vulnerabilities fixed, but the recent Symantec Internet Security Threat Report inflated the vulnerability count for Oracle by comparing apples and oranges.   This version...