CPU October 2006 and Mystery Patch

If you analyze Oracle's Critical Patch Update for October 2006 Advisory and look for any vulnerabilities affecting the Oracle Database version, you will see in the "Oracle Database Risk Matrix" that there are no vulnerabilities for  In the "Supported Products and Components Affected" section, is not listed.  In the initial release on October 17th of the "Critical Patch Update Availability for Oracle Server and Middleware Products" (

11i: CPU October 2006 - E-Business Suite Impact

We have released our quarterly Oracle E-Business Suite Impact analysis for the Oracle Critical Patch Update (CPU) October 2006.  This analysis looks at the CPU from an Oracle E-Business Suite perspective and provides additional details on the fixed vulnerabilities and a patching strategy for the Oracle Database, Oracle Application Server, Oracle Developer 6i, Oracle JInitiator, and Oracle Applications 11i.

CPU October 2006 Late Database Patches

As with previous Oracle Critical Patch Updates (CPU), a number of the database patches have not yet been released.  Major versions and operating systems are on the list.  Oracle has already "desupported" a number of versions by stealth through not supplying security patches (e.g., -  Customers really need to push Oracle to get the patches out on-time, especially for major releases and operating systems.  I can see not having z/OS and Linux on Power ready, but Unix and Linux?  Most of the missing patches are backports on mainstream operati

11i: CPU October 2006 - E-Business Suite Tech Stack Matrix

We have released our E-Business Technology Stack Support Matrix for the Oracle Critical Patch Update (CPU) October 2006.  The supported technology stack versions required by Oracle’s Critical Patch Updates (CPU) may be different from the certified technology stack versions.  A prime example is that is certified for Oracle Applications, but is not supported by the October 2006 CPU.  The Technology Stack support matrix highlights the differences between certified versions and CPU October 2006 required versions.

Oracle Critical Patch Update for October 2006 Released

Oracle has released the Critical Patch Update (CPU) for October 2006.  101 new vulnerabilities across all Oracle products are fixed in this CPU of which 45 are remotely exploitable.  The overall number is high as compared to previous CPUs, but includes a similar number of database and application server vulnerabilities.  The spike is due to 35 vulnerabilities in Oracle Application Express (formerly HTMLDB).

11i: Oracle 11i and SSO Whitepaper Updated

Oracle has updated the "Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On" whitepaper from build 3.2 to build 4.0.  This whitepaper is a detailed description of implementing Single-Sign-On for Oracle Applications 11i.  It is one of the more useful Oracle documents, especially since it covers multiple scenarios and provides details on limitations.  The scenarios include Oracle-only implementatio

11i: SQL*Net Encryption Now Certified - Finally

Oracle has finally certified the use of Advanced Security Option/Advanced Network Option for encryption of SQL*Net traffic between the database and application servers.  This certification had been promised for several years.

The Advanced Security Option (ASO) is an optional component of the Oracle Database and is an extra cost.  Advanced Networking Option (ANO) is the previous name of ASO in Oracle 8.0.x, which is also utilized in an Oracle Applications 11i configuration since Forms, Reports, and Concurrent Manager still use an ORACLE_HOME.

11i: October 2006 Critical Patch Update Requirements

Oracle is now pushing all 11.5.10 implementations even harder in terms of mandating minimum patch levels.  The October 2006 Critical Patch Update (CPU) will require at least ATG_PF.H.RUP3 and ATG_PF.H.RUP4 is recommended.  These patches are not included in the base for any 11.5.10 release including CU2.  11.5.7, 11.5.8, and 11.5.9 customers must be at the minimum baseline in

FISMA and Oracle: 2005 Report Card

The Federal Information Security Management Act (FISMA) of 2002 requires all government agencies to submit to the Office of Management and Budget an annual evaluation of IT security across the agency.  The overall results of these reports are complied and reported in the annual "Federal Computer Security Report Card", which scored the Federal government a D+. 

11i: Oracle DMZ Configuration Document Updated

Oracle has updated the Oracle Applications 11i DMZ Configuration document (Metalink Note ID 287176.1).  "Oracle E-Business Suite 11i Configuration in a DMZ" is the definitive reference for implementing Oracle Applications in a DMZ that is externally accessible.  All the recommendations in this document should be closely followed and appropriately penetration tested prior to implementation.  We often find significant security issues in implementatio

Unwrapping PL/SQL

There was very little press coverage regarding Oracle security from last week's Black Hat security conference in Las Vegas.  I am a little surprised about the lack of attention in the media regarding Pete Finnigan's presentation on unwrapping PL/SQL code. 

Bad Oracle Security Press Coming Soon

You may want to warn your CIO and IT Security Manager that some bad press about Oracle security will be coming later this week and next week.  The annual Black Hat conference in Las Vegas is Wednesday and Thursday of this week.  Every year this conference gets significant media exposure -- last year was the controversy regarding Cisco and Michael Lynn.  There doesn't seem to be any major headlines this year, so the press may be digging for stories.


Subscribe to RSS

Add us to your favorite news reader.

Follow on Twitter

Get the latest updates.