My experience, findings and thoughts in my daily work with Oracle products
Oracle OPatch Security Holes
Published Tuesday, August 23, 2005 by Radoslav Rusinov | E-mail this post
A new white paper is coming from one of the leading security companies - NGS (Next Generation Security) Software Ltd.It will be related to discovered problems after using of the OPatch utility for applying of Oracle patches and the title is "Patch Verification of Oracle Database Servers".Some quotes from this Eweek news story: Security Firm: Oracle Opatch Leaves Firms Uncovered:
A total of more than 100 recently surveyed database servers, a staggering 76 percent have anomalies between expected and actual patch levels.Quotes from another interview with David Litchfield, managing director for NGS: OPatch, wherefore art thou?
"The fact is that Opatch is failing, or [an Oracle] patch failed to fix certain issues appropriately," he said. "Customers aren't doing anything wrong. It's the tools themselves that are faulty."
In the April CPU, on all platforms, new Java classes supplied to fix SQL injection vulnerabilities in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE were not actually loaded
Opatch often fails for various reasons. "Permissions are wrong; files that are to be patched are still in use; environment variables are wrong; whatever the reason might be, and a quick search on Google reveals many more, Opatch can often fail to update the inventory"
Incomplete patchesI will open a new post when the paper is available on the NGS site with a link for download.
Patches fail to fix the flaw
Failure to perform post installation tasks
OPatch fails to update the inventory
Interview with Oracle Chief Security Officer - Mary Ann Davidson: When security researchers become the problem, one of the seldom official Oracle statements about their security problems.
- » I'm Radoslav Rusinov
- » From Sofia, Bulgaria
- » Employer TechnoLogica Ltd.
- » I am working as a Database Consultant in Sofia, Bulgaria.
My main professional interests are in the database area and especially in the Oracle RDBMS, including database design, development, security and administration.
- » The views expressed on this blog are my own and do not necessarily reflect the views of my employing company and its affiliates
- » My profile
Search This Blog with Google
Search This Blog with Free Find
Search This Blog with Technorati
Oracle News & Blogs Aggregators