17 Jul 2007 von Alexander Kornbrust.

Eric Maurice from Oracle Global Security wrote in his blog that this CPU comes with a new concept called molecule.

“The napply CPU is an enhanced CPU format for Oracle Database Server for Unix and Linux platforms version 10.2.0.3 and onward (including 10.2.0.4 and 11g).  In a napply CPU, the security fixes are now grouped in what are called molecules.  Each molecule in the CPU is independent, and does not conflict with other molecules in the CPU.  Conflicts between molecules occur when fixes included respectively in each molecule affect the same file or group of files.”

“The new CPU format will greatly simplify the patch conflict resolution procedures, thus providing for a quicker resolution of security vulnerabilities than was previously the case.“

Geschrieben in Oracle Security | Drucken | Keine Kommentare »

17 Jul 2007 von Alexander Kornbrust.

The Oracle CPU July 2007 is out.

The CPU contains fixes for 46 Oracle vulnerabilities. Most of the vulnerabilities are coming from the usual suspects. Integrigy (8 of 14 EBusiness Suite vulns), Red-Database-Security (3 vulnerabilities), Argeniss, NGS, Joxean Koret. This time Imperva found also a vulnerability. Welcome to the usual suspects…
2 of Integrigy’s SQL Injection (Thanks to Steven Kost for the info) vulnerabilities are remote exploitable without authentication.

My vulnerabilities are a SQL Injection vulnerability in Apex (fixed with Apex 3.0.1), SQL Injection vulnerability in dbms_prvtaqis and a critical vulnerability in database views. The view bug is similar (but not identical) to bugs fixed with April 2006 and October 2006 . By using a specially crafted view it is possible to Insert/Update/Delete via database views.

More infos soon on the analysis webpage of Red-Database-Security.
The first advisories and an analysis of the Oracle CPU July 2007 are available on our website.
– Alex

Geschrieben in Oracle Security | Drucken | 1 Kommentar »