Two weeks after the initial release of the October 2006 Critical Patch Update (CPU) Advisory, Oracle added information about the Oracle Database 18.104.22.168 being vulnerable and about a patch being available in the future. The 22.214.171.124 patch release date keeps getting pushed back and is now scheduled for December 22 on Unix/Linux and December 15 for Windows (5 days ago).
We have updated our free Oracle Database Listener Security Check tool that analyzes security of the Oracle Database TNS Listener to identify potential security issues. The tool performs four basic checks for the Database Listener in a simple and user friendly way - (1) is a listener password set, (2) is ADMIN_RESTRICTIONS set, (3) is logging enabled, and (4) is LOCAL_OS_AUTHENTICATION enabled for Oracle 10g. It is a single executable that can be run from any Windows XP/2000 PC, requires no Oracle client install, and can
The inherent weakness of the Oracle Applications 11i user password algorithm is a topic that every so often gets some attention. It bubbles up and then is largely forgotten by most. However, the issue doesn't go away and is very much alive today even in 126.96.36.199. See the references at the end of this post for a little history of the topic. This password weakness (along with the APPLSYSPUB database account) is really a hold-over from client/server and is an inherent design flaw in the current architecture of Oracle Applications.
With the advent of legislative mandates like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), the security and auditing of Oracle Databases has become much more of a priority for most organizations. A common solution has been to implement an Oracle-aware Intrusion Detection System (IDS) or auditing product to address these legislative mandates and increased auditor scrutiny.
In a follow-up to my previous post regarding mystery patches for 188.8.131.52 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 184.108.40.206. However, the patches for 220.127.116.11 are still not available and have an anticipated release date of December 15, 2006 (note: the initial release date was November 15, 2006).
A new attack vector for the Oracle Database has been identified related to exploiting DBMS_SQL cursors that have not properly been closed. The name for this type of attack is "Dangling Cursor Snarfing." David Litchfield's paper on the topic can be found here.
Exploitation of this type of vulnerability is limited and requires ALL of the following conditions -
A security research firm based in Argentina, Argeniss, had announced a plan to publicly disclose an unfixed Oracle Database security bug every day for a week in December - "The Week of Oracle Database Bugs." A disclosed unpatched security bug is referred to as a 0-day (or zero day). Argeniss' motivation is "to demostrate Oracle isn't getting any better at securing its products."
Oracle Database session information includes database user name, operating system user name, host, terminal, IP address, module, program, timestamps, session ID, and other details. These values are critical to auditing and identifying the actual end-user. Many of the database session values can be “spoofed” by an attacker either to mask their true identity or to circumvent security and auditing measures. It should come as no shock to anyone that many of these values can be spoofed since this fact has been widely discussed for years.
If you analyze Oracle's Critical Patch Update for October 2006 Advisory and look for any vulnerabilities affecting the Oracle Database version 18.104.22.168, you will see in the "Oracle Database Risk Matrix" that there are no vulnerabilities for 22.214.171.124. In the "Supported Products and Components Affected" section, 126.96.36.199 is not listed. In the initial release on October 17th of the "Critical Patch Update Availability for Oracle Server and Middleware Products" (
We have released our quarterly Oracle E-Business Suite Impact analysis for the Oracle Critical Patch Update (CPU) October 2006. This analysis looks at the CPU from an Oracle E-Business Suite perspective and provides additional details on the fixed vulnerabilities and a patching strategy for the Oracle Database, Oracle Application Server, Oracle Developer 6i, Oracle JInitiator, and Oracle Applications 11i.
As with previous Oracle Critical Patch Updates (CPU), a number of the database patches have not yet been released. Major versions and operating systems are on the list. Oracle has already "desupported" a number of versions by stealth through not supplying security patches (e.g., 188.8.131.52 - 184.108.40.206). Customers really need to push Oracle to get the patches out on-time, especially for major releases and operating systems. I can see not having z/OS and Linux on Power ready, but Unix and Linux? Most of the missing patches are backports on mainstream operat
We have released our E-Business Technology Stack Support Matrix for the Oracle Critical Patch Update (CPU) October 2006. The supported technology stack versions required by Oracle’s Critical Patch Updates (CPU) may be different from the certified technology stack versions. A prime example is that 220.127.116.11 is certified for Oracle Applications, but is not supported by the October 2006 CPU. The Technology Stack support matrix highlights the differences between certified versions and CPU October 2006 required versions.
Oracle has released the Critical Patch Update (CPU) for October 2006. 101 new vulnerabilities across all Oracle products are fixed in this CPU of which 45 are remotely exploitable. The overall number is high as compared to previous CPUs, but includes a similar number of database and application server vulnerabilities. The spike is due to 35 vulnerabilities in Oracle Application Express (formerly HTMLDB).