The inherent weakness of the Oracle Applications 11i user password algorithm is a topic that every so often gets some attention.  It bubbles up and then is largely forgotten by most.  However, the issue doesn't go away and is very much...

With the advent of legislative mandates like Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA), the security and auditing of Oracle Databases has become much more of a priority for most organizations. A common...

In a follow-up to my previous post regarding mystery patches for 9.2.0.8 in the October 2006 Critical Patch Update, the CPU advisory was updated to include information about 9.2.0.8.  However, the patches for 9.2.0.8 are still not available and...

A new attack vector for the Oracle Database has been identified related to exploiting DBMS_SQL cursors that have not properly been closed.  The name for this type of attack is "Dangling Cursor Snarfing."  David Litchfield's paper...

A security research firm based in Argentina, Argeniss, had announced a plan to publicly disclose an unfixed Oracle Database security bug every day for a week in December - "The Week of Oracle Database Bugs."  A disclosed unpatched...

Oracle Database session information includes database user name, operating system user name, host, terminal, IP address, module, program, timestamps, session ID, and other details. These values are critical to auditing and identifying the actual end...

Oracle has adopted the Common Vulnerability Scoring System (CVSS) as its standard for communicating the severity of security vulnerabilities in its products.  The critics have already jumped on Oracle for "manipulating" the CVSS...

Oracle has updated the white paper "Best Practices for Securing Oracle E-Business Suite version 3.0.4" Metalink Note ID 189367.1.  The major changes to the document include - Added the new Oracle Applications 11.5.10 application...

If you analyze Oracle's Critical Patch Update for October 2006 Advisory and look for any vulnerabilities affecting the Oracle Database version 9.2.0.8, you will see in the "Oracle Database Risk Matrix" that there are no vulnerabilities for...

We have released our quarterly Oracle E-Business Suite Impact analysis for the Oracle Critical Patch Update (CPU) October 2006.  This analysis looks at the CPU from an Oracle E-Business Suite perspective and provides additional details on the...

As with previous Oracle Critical Patch Updates (CPU), a number of the database patches have not yet been released.  Major versions and operating systems are on the list.  Oracle has already "desupported" a number of versions by...

We have released our E-Business Technology Stack Support Matrix for the Oracle Critical Patch Update (CPU) October 2006.  The supported technology stack versions required by Oracle’s Critical Patch Updates (CPU) may be different from the...

Oracle has released the Critical Patch Update (CPU) for October 2006.  101 new vulnerabilities across all Oracle products are fixed in this CPU of which 45 are remotely exploitable.  The overall number is high as compared to previous CPUs...

The Oracle Global Product Security team has announced some new changes to Oracle's quarterly Critical Patch Update (CPU) documentation. Organizations face a huge challenge in attempting to prioritize and determine the impact of each CPU, especially...

Oracle has updated the "Integrating Oracle E-Business Suite Release 11i with Oracle Internet Directory and Oracle Single Sign-On" whitepaper from build 3.2 to build 4.0.  This whitepaper is a detailed description of implementing...