Yesterday night Oracle released the July 2009 CPU. This CPU contains 30 fixes for several Oracle products. 10 security issues are fixed in the Oracle Database Server.As always the usual suspects (Esteban, David, Joxean, Alexandr, Dennis) and a few others reported issues in Oracle products.
The 3 most critical bugs this time are related to the TNS Listener and one of the bugs be exploited without authentication.These issues CVE-2009-1020, CVE-2009-1019, CVE-2009-1963 are rated with CVSS 9 (for Windows), 7.5 for Unix.
Oracle has also fixed 3 of my findings in the database (3 out of 10 :-))
- SQL Injection in DBMS_EXPORT_EXTENSION (previously fixed in April 2006)
- Information Disclosure (Password Hash) in Database Vault
- Information Disclosure (Password Hash) in Audit Vault
More details will be published within the next few days. The updates for our Oracle database scanner Repscan (free trial available) will be released within the next 2 days.