My experience, findings and thoughts in my daily work with Oracle products
Oracle OPatch Security Holes
Published Tuesday, August 23, 2005 by Radoslav Rusinov | E-mail this post
A new white paper is coming from one of the leading security companies - NGS (Next Generation Security) Software Ltd.
It will be related to discovered problems after using of the OPatch utility for applying of Oracle patches and the title is "Patch Verification of Oracle Database Servers".
Some quotes from this Eweek news story: Security Firm: Oracle Opatch Leaves Firms Uncovered:
A total of more than 100 recently surveyed database servers, a staggering 76 percent have anomalies between expected and actual patch levels.Quotes from another interview with David Litchfield, managing director for NGS: OPatch, wherefore art thou?
"The fact is that Opatch is failing, or [an Oracle] patch failed to fix certain issues appropriately," he said. "Customers aren't doing anything wrong. It's the tools themselves that are faulty."
In the April CPU, on all platforms, new Java classes supplied to fix SQL injection vulnerabilities in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE were not actually loaded
Opatch often fails for various reasons. "Permissions are wrong; files that are to be patched are still in use; environment variables are wrong; whatever the reason might be, and a quick search on Google reveals many more, Opatch can often fail to update the inventory"
Incomplete patchesI will open a new post when the paper is available on the NGS site with a link for download.
Patches fail to fix the flaw
Failure to perform post installation tasks
OPatch fails to update the inventory
Interview with Oracle Chief Security Officer - Mary Ann Davidson: When security researchers become the problem, one of the seldom official Oracle statements about their security problems.
Labels: Security
About me
- » I'm Radoslav Rusinov
- » From Sofia, Bulgaria
- » Employer TechnoLogica Ltd.
- » I am working as a Database Consultant in Sofia, Bulgaria. My main professional interests are in the database area and especially in the Oracle RDBMS, including database design, development, security and administration.
- » The views expressed on this blog are my own and do not necessarily reflect the views of my employing company and its affiliates
- » My profile
RSS 2.0 Feed
Search This Blog with Google
Search This Blog with Free Find
Search This Blog with Technorati
Previous Posts
- Pete Finnigan's Weblog
- The Don Burleson's article
- The _PGA_MAX_SIZE hidden parameter
- Management of the Oracle9i PGA
- Using of BULK COLLECT and FORALL for better perfor...
- Strange behaviour of the CBO, part 2
- Strange behaviour of the CBO, part 1
- How to see the MOD_PLSQL passwords in clear text
- Forcing Oracle to use LOGGING mode
- How to Cope with an ORA-01000 Error
Articles & Presentations
- Backup & Recovery Enhancements in Oracle 10g - pdf (EN)
- How to Cope with an ORA-01000 Error - pdf (EN)
- How to Cope with an ORA-01000 Error - doc (EN)
- Oracle Tools & Utilities, System and Oracle Environment Variables, Oracle Registry Parameters and Their Relations - pdf (BG)
- Development of Oracle9i-based Information System - pdf (BG)
- Windows NLS Considerations - pdf (EN)
- Windows NLS Considerations - doc (EN)
Discover Bulgaria
Oracle News & Blogs Aggregators
- Oracle Blogs - Brian Duff
- OraNA Oracle News - Eddie Awad
- Oracle Blogs - Oracle
- Oracle Blogs - Pete Finnigan
- OraFAQ Blog Aggregator
- Oracle Related Tags - del.icio.us - Joshua Schachter
- Oracle 10g Related Tags - del.icio.us - Joshua Schachter
- PL/SQL Related Tags - del.icio.us - Joshua Schachter
- Oracle News - del.icio.us - Joshua Schachter
Oracle Resources
- AppsDBA.com Web Site - Andy Rivenes
- Ask Tom - Thomas Kyte
- Battle Against Any RAID Five (BAARF)
- Christopher Lawson
- Centrex Consulting Corporation - Wolfgang Breitling
- Chesham Database Systems - Mark A. Williams
- Go-Faster Consultancy Ltd. - David Kurtz
- Database Specialists, Inc. - Roger Schrag
- DBAZine Database Portal
- Dizwell Informatics - Howard Rogers
- EvDBT.Com - Tim Gorman
- Hotsos - Carry Millsap
- jDUL/DUDE (Database Unloading by Data Extraction)
- Jeff Hunter's Oracle - Software Engineering Site
- Jeremiah Wilton Consultancy - Jeremiah Wilton
- JL Computer Consultancy - Jonathan Lewis
- integrid.info - Tanel Poder
- Ixora - Steve Adams
- Metalink Oracle Support Site
- Miracle A-S - Mogens Norgaard
- Natural Join B.V. - Lex de Haan
- Oracle and SQL Performance Tuning Specialists - Mark Gurry
- ORACLE-BASE - Tim Hall
- oracledba.co.uk - Connor McDonald
- Oracle FAQ
- Oracle Internals - Julian Dyke
- Oracle PL/SQL Programming - Steven Feuerstein
- Oracle RAC SIG
- OraPerf - Anjo Kolk
- oraperf.sourceforge.net - Kyle Hailey
- OraPub, Inc. - Craig Shallahamer
- OTN - DBA and Sysadmin
- puschitz.com - Werner Puschitz
- Scale Abilities - James Morle
- The OakTable Network
- The Pythian Group - Paul Vallee
- TUSC - The Oracle Experts
Oracle User Groups
Oracle Blogs
- Abhinav Agarwal - Business Intelligence
- Alan Nolan-Davies
- Alejandro Vargas - Scripts and Tips
- Alex Gorbachev
- Amarjyoti Dewri
- AMIS Technology
- Andrej Koelewijn
- Andrew Clarke
- Andy Campbell
- Andy Rivenes - AppsDBA
- Anjo Kolk - Performance
- Bill Thater
- Brian Duff
- Carl Backstrom - Oracle Application Express
- Carl Reitschuster
- Catherine Devlin - Python and Oracle
- Chris Foot
- Christo Kutrovsky
- Christopher Jones - PHP, Linux, OPAL
- Colin Maxwell - Oracle Product Technology Services
- David Aldridge - Data Warehousing
- David Litchfield - Security
- Devidas Dumbre - Oracle Applications
- Dimitri Gielis - Application Express
- Doug Bourns
- Edward Stangler
- Eddie Awad
- Edward Whalen - Oracle on Windows
- Egor Starostin
- Eric S. Emrick
- Frank van Bortel
- Francois Degrelle
- Fuad Arshad
- Gary Myers
- Grant Ronald - Forms and J2EE
- Howard Rogers
- Jeff Hunter
- Jeffrey Kemp
- Jeff Moss
- John Baughman
- Justin Kestelyn - OTN TechBlog
- Laurent Schneider
- Lewis R Cunningham
- Lisa Dobson - Newbies DBA
- Lisa Vaas - Oracle Watch at eWeek
- Lutz Hartmann
- Mark Coleman - Oracle and Unix
- Mark Rittman - Business Intelligence and DW
- Marcos M. Campos - Data Mining
- Mark Wilcox - Identity Management
- Mary Ann Davidson - Security
- Matt Penny - Oracle on Windows
- Michael Armstrong-Smith - Discoverer
- Mike Ault
- Mogens Norgaard
- Niall Litchfield Blog
- Nicholas Goodman - Business Intelligence
- Nigel Thomas
- Nilesh Jethwa - Applications Business Intelligence
- Oracle Security Team
- Oracle WTF - Curious Perversions in Oracle World
- Pete Finnigan - Security
- Peter K
- Peter Lewis
- Peter Scott
- Pythian Group
- Robert Baillie
- Robert Vollman
- Roderick Manalac
- Scott Spendolini - Application Express
- Sergio Leunissen - Application Express
- Steven Feuerstein - PL/SQL Development
- Stefan Roesch - Oracle RAC
- Sue Harper
- Tarry Singh
- Tarry Singh - Performance
- Tim Hall
- Tom Kyte
- Tony Andrews
- Vadim Bobrov - Oracle Development
- Wilfred (OraTransplant)
- Wim Coekaerts - Linux/Open Source
- Yasin Baskan
Oracle Forums
Security Resources
- Argeniss - Cesar Cerrudo
- Black Hat Briefings, Training and Consulting - Jeff Moss
- Database Security - David Litchfield
- Fortify Software - Source Code Security - John M. Jack
- Johny Hack Stuff
- Internet Security Systems (ISS) - Christopher Klaus
- Nessus Open Source Vulnerability Scanner Project
- NGS Software - David Litchfield
- Oracle and Oracle security information - Pete Finnigan
- OWASP - Open Web Application Security Project
- Protegrity Data Protection Solutions - Gordon O. Rapkin
- Red Database Security - Alexander Kornbrust
- SecurityFocus Portal
- SPI Dynamics - Web Application Security and Testing
- Sys-Security - Ofir Arkin
Professional CV
Blog Statistics
0 Responses to “Oracle OPatch Security Holes”
Leave a Reply