Just having a look through the CPU for July and the first item CVE-2009-1020,  makes this CPU very important to Windows hosted databases. The Windows installation method for Oracle products that requires Administrator Group privileges means this bug provides an attack vector which through this attack you can compromise the entire server, a not so nice proposition. The impact on this is not so bad for Unix and Linux, as a total compromise of the database is not possible and therefore there is less impact. As Oracle runs under user non root privilege accounts on Unix and Linux, you avoid the potential complete compromise of a server at the same time. Other problems addressed in the patchset  are not as bad, as none create a full compromise. One worrying aspect is most are of Low access complexity or to put it simply are easy to implement to set up an attack. CVE-2009-1019 is of concern as it is remotely exploitable without authentication. CVE-2009-1019 also breaks all aspects of CIA for the database, however it is only a partial compromise across the board.

For those of you interested in developing you security knowledge further then going and reading about the CVSS program is worthwhile, as it allows you to provide a better assessment to the problems and their impact on the databases and other products you manage for your organisation.

Recommendation: Update your databases to  apply this CPU

With Application Server the items are a little lower, however they are both remote attacks without authentication, one compromises the HTTP server and the other impacts security tools. Neither are of a high degree of difficulty to implement an attack.

Once again as the HTTP server is a front line device it is important to update that as the vulnerability may be used more creatively than expected by Oracle and the security analysts have envisaged. Recommendation: Patch and update

I don’t work presently with E-Biz and Peoplesoft, so i wont comment other than to say since you already now have a need to patch your Oracle database and your application server then you should review and apply the patches across the board

From teh BEA technologies the JRockit vulnerability is derived from a number of Java bugs, Sun has provided data on this, if you use JRockit for public facing systems this is a critical patch to address. The 10 rating along with that an entire compromise is worrying. Some will already have applied the Sun patches and have avoided some or all the issues addressed in this patch.

Recommendation: Upgrade now

That has made for an interesting bundle this quarter, so happy patching.

See ya round

Peter

I have been working a lot with Application Server of late and on of the tasks I had was to configure SOA Suite to use SSL for those web pages that are used such as the BPEL Manager, It seems a pretty straightforward task and I have instructions that were provided by what should have been a reliable source. Simple enough it went, install SOA suite onto the application server taking into consideration that the F5 is part of the infrastructure. make it work as a http connection and then configure the Apache server so that it understands the virtual URL through the F5 is SSL which apparently took me to only have to add a few lines of VirtualHost entries to the httpd.conf and then restart the SOA Suite. My initial plan was to run SOA Suite is running on non standard ports between 8000 and 8999, really only a few ports between 8000 and 8010. This site had a need to have some standardised way of running multiple instance on a single Application Server host system for different business units within the department. This was to turn out to be a major failure as it seems there is a problem with the 8xxx ports particularly the 80xxx ports as the F5 it turns out has a bug What do you have to do is pretty simple and if you do the following it will work straight away 1) Have the F5 configured by the networks team have you application servers placed into pools as required in the F5 config for load balancing 2) Add the following to your SOA Suite HTTP Server file

2.1) LoadModule certheaders_module libexec/mod_certheaders.so

NameVirtualHost *:7500

<VirtualHost *:7500>

ServerName F5virtualhost.department.qld.gov.au

Port 7500

ServerAdmin you@your.address

RewriteEngine on

RewriteOptions inherit

SimulateHttps on

</VirtualHost>

<VirtualHost *:7500>

ServerName host.department.qld.gov.au

Port 7500

ServerAdmin you@your.address

RewriteEngine on

RewriteOptions inherit

</VirtualHost>

This then needs you to stop and start all components with opmnctl Now you should be able to connect both direclty to the physical host via http and both SSL and non SSL via the F5. The non SSL may be determined by F5 settings.

The application server implementation has proven to have a number of challenges that have give me a whole new insight to the workings of middleware. This is a load balanced and highly available installation, it is however for Oracle’s thinking not high availability and it does lack in some parts, however they in no way affect the client and provide a way forward to a new infrastructure for Application Server 10g

I am installing the 10.2.0.5 Agent for Oracle Grid Control and found the following as just a little humorous. You see the one off patch is showing as optional. Now that would be good if I had been given a chance to choose to install the “Optional” one off patch, but at no time leading up to this little screen showing up was I informed that a one off patch existed and it was in fact optional to install it. Now I am not sure about you but Oracle has decided that a one off patch needs to be installed in the process of installing the Agent or any other software, then I am not likely to finish the installation and then first thing go and remove that patch as it is “Optional”.   Ok it must have been a slow morning to find it funny. Enjoy the thought that you can have optional when its not really. I guess I can now run OPatch and find out as the the merits and remove it if I want however that might mean other issues down the track so I think I will just leave the

optional patch there