Just having a look through the CPU for July and the first item CVE-2009-1020,  makes this CPU very important to Windows hosted databases. The Windows installation method for Oracle products that requires Administrator Group privileges means this bug provides an attack vector which through this attack you can compromise the entire server, a not so nice proposition. The impact on this is not so bad for Unix and Linux, as a total compromise of the database is not possible and therefore there is less impact. As Oracle runs under user non root privilege accounts on Unix and Linux, you avoid the potential complete compromise of a server at the same time. Other problems addressed in the patchset  are not as bad, as none create a full compromise. One worrying aspect is most are of Low access complexity or to put it simply are easy to implement to set up an attack. CVE-2009-1019 is of concern as it is remotely exploitable without authentication. CVE-2009-1019 also breaks all aspects of CIA for the database, however it is only a partial compromise across the board.

For those of you interested in developing you security knowledge further then going and reading about the CVSS program is worthwhile, as it allows you to provide a better assessment to the problems and their impact on the databases and other products you manage for your organisation.

Recommendation: Update your databases to  apply this CPU

With Application Server the items are a little lower, however they are both remote attacks without authentication, one compromises the HTTP server and the other impacts security tools. Neither are of a high degree of difficulty to implement an attack.

Once again as the HTTP server is a front line device it is important to update that as the vulnerability may be used more creatively than expected by Oracle and the security analysts have envisaged. Recommendation: Patch and update

I don’t work presently with E-Biz and Peoplesoft, so i wont comment other than to say since you already now have a need to patch your Oracle database and your application server then you should review and apply the patches across the board

From teh BEA technologies the JRockit vulnerability is derived from a number of Java bugs, Sun has provided data on this, if you use JRockit for public facing systems this is a critical patch to address. The 10 rating along with that an entire compromise is worrying. Some will already have applied the Sun patches and have avoided some or all the issues addressed in this patch.

Recommendation: Upgrade now

That has made for an interesting bundle this quarter, so happy patching.

See ya round

Peter

I am installing the 10.2.0.5 Agent for Oracle Grid Control and found the following as just a little humorous. You see the one off patch is showing as optional. Now that would be good if I had been given a chance to choose to install the “Optional” one off patch, but at no time leading up to this little screen showing up was I informed that a one off patch existed and it was in fact optional to install it. Now I am not sure about you but Oracle has decided that a one off patch needs to be installed in the process of installing the Agent or any other software, then I am not likely to finish the installation and then first thing go and remove that patch as it is “Optional”.   Ok it must have been a slow morning to find it funny. Enjoy the thought that you can have optional when its not really. I guess I can now run OPatch and find out as the the merits and remove it if I want however that might mean other issues down the track so I think I will just leave the

optional patch there