M-A-O-L

Already 3 months gone by? April 2011 Critical Patch Update Released (direct link to Database vulnerabilities). Mostly obscure components that aren’t in widespread use in the DB world, but who knows…

It’s that time of the year again: January 2011 Oracle Critical Patch Update Released. People using OEM Grid Control on 11g versions and people using RAC on 10g and newer are vulnerable to remote vulnerabilities not requiring authentication, so again quite a serious CPU. Go and patch!

Oracle answer one of the most asked questions around CPUs: What are the criteria used by Oracle to decide whether a vulnerability warrants a fix in the CPU?

The Oracle Critical Patch Update October 2010 is out, see the Oracle Security Blog for commentary. Of the 9 Database related vulnerabilities, 7 do not apply if you are on the latest patchset on 10gR2 or 11gR2, a much higher than usual number, and hopefully a good sign for what’s to come. On the other hand that means you should really be on the latest patchset for these, and get off of 10gR1 and 11gR1 urgently, unless you want to keep up the patching cycles.

Oracle’s Critical Patch Update July 2010 is out, with two easy to exploit DoS vulnerabilities in the Database network stack (although one on Windows only), and one critical vulnerability in the OLAP component – let’s just hope that this one opens the DB for attack if OLAP is actually linked in… because I guess most people’s Oracle will not have OLAP built in.

There are three more DB vulnerabilities – check the DB matrix in the appendix for details.

As usual our lucky French Eric Maurice gives the full rundown at the Oracle Security Blog.

Oracle’s Critical Patch Update Pre-Release Announcement – July 2010 arrived online, and the nice folks at Integrigy already published their standard CPU pre-release analysis.

I’m a bit worried about the number of highly critical Database alerts, four out of six vulnerabilities are remotely exploitable without authentication. Hope that’s just on Windows (as was often the case in the past), or in obscure features or functions that aren’t enabled by default.

Wo hat Oracle überraschenderweise angefangen, für alle Vulnerabilities einen CVE Identifier zu vergeben?

Was lässt Oracle Datenbank DBAs ruhiger schlafen, Oracle Application DBAs aber überhaupt nicht?

Worauf haben alle Oracle Spezis schon lange gewartet, und wird trotzdem niemand etwas deswegen machen?

Das Oracle Critical Patch Update – January 2008 ist raus, und ich denke, wir Datenbänker können aufschnaufen. Betroffen sind praktisch nur Add-On Komponenten wie XML-DB, Advanced Queuing, Spatial und UltraSearch. Einzig DB05 betrifft Upgrade/Downgrade, und ist über Oracle Net exploitable. Es handelt sich wohl um das Problem, dass man während dem Dictionary-Upgrade für einzelne Accounts das Default-Passwort verwenden kann. Der Workaround ist einfach: Listener abstellen während dem Upgrade. Ist sowieso empfohlen!