Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Major Oracle Patch Covers Enterprise Products, Database Server

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Major Oracle Patch Covers Enterprise Products, Database Server
Date: Wed, 13 Jul 2005 05:15:25 -0500 (CDT) 
http://www.eweek.com/article2/0,1895,1836304,00.asp

By Lisa Vaas 
July 12, 2005 

Oracle has released a set of 49 patches that addresses new flaws in 
multiple versions of its Database Server, Application Server, 
Collaboration Suite, E-Business and Applications, and Enterprise 
Manager products. 

The patches are available on OTN (the Oracle Technology Network) [1]. 

The product flaws vary in terms of exploitability. Oracle Database has 
12 flaws, including a flaw in Database 10g's Oracle OLAP (online 
analytical processing) that requires Database privilege?execute on 
olapsys?but which, according to Oracle's posting, is both easily 
accessible and would have a wide impact. 

Oracle's Application Server also has a dozen flaws that span the range 
in terms of authorization required, severity of impact and ease of 
exploitation. Collaboration Suite has six flaws and E-Business Suite 
has 17, while Enterprise Manager has two. 

The new database vulnerabilities addressed by this Critical Patch 
Update don't affect Oracle Database Client-only installations 
(installations that don't have the Oracle Database Server installed). 

Therefore, according to Oracle's posting, it is not necessary to apply 
this Critical Patch Update to client-only installations if a prior 
Critical Patch Update, or Alert 68, has already been applied to the 
client-only installations. 

The Oracle Database Server, Enterprise Manager and Oracle Application 
Server patches are cumulative, containing all fixes from the previous 
Critical Patch Update. 

Not so for E-Business Suite or Collaboration Suite patches, however, 
so customers using these products should refer to previous Critical 
Patch Updates to identify previous fixes they need to apply. 

This is the third of Oracle's Critical Patch Updates since the company 
started cumulative patch releases in January. 

Jon Oltsik, an analyst at Enterprise Strategy Group, said that Oracle 
customers are mostly comfortable with Oracle's new patching strategy, 
but they would like Oracle to be more proactive with emergency 
patches. 

"If any are high impact, if I were a customer and had a major 
investment in Oracle, I wouldn't want to wait around for the 
cumulative patch release," he said. "I want to know about them 
immediately and apply them immediately." 

In contrast, Microsoft offers custom services for big enterprise 
customers. Oracle has resisted that, Oltsik said, since it's more 
difficult from a process perspective to offer such services. "[But] if 
I'm a big customer, I don't care about your processes," he said. "If 
I'm buying from you, give me good service." 

"People tend to criticize Microsoft from [the standpoint of] general 
security and number of vulnerabilities," Oltsik said. "But from [the 
perspective of] patching and management strategies, they're very, very 
good and flexible. I'd say, more so than Oracle." 

[1] http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Major Oracle Patch Covers Enterprise Products, Database Server, InfoSec News <=
Previous by Date:  [ISN] Microsoft patches IE, Word, Windows, InfoSec News
Next by Date:  [ISN] Worse Than Death, InfoSec News
Previous by Thread:  [ISN] Microsoft patches IE, Word, Windows, InfoSec News
Next by Thread:  [ISN] Worse Than Death, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]