My experience, findings and thoughts in my daily work with Oracle products

Oracle OPatch Security Holes

E-mail this post

Remember me (?)

All personal information that you provide here will be governed by the Privacy Policy of More...

A new white paper is coming from one of the leading security companies -
NGS (Next Generation Security) Software Ltd.
It will be related to discovered problems after using of the OPatch utility for applying of Oracle patches and the title is "Patch Verification of Oracle Database Servers".
Some quotes from this Eweek news story: Security Firm: Oracle Opatch Leaves Firms Uncovered:
A total of more than 100 recently surveyed database servers, a staggering 76 percent have anomalies between expected and actual patch levels.

"The fact is that Opatch is failing, or [an Oracle] patch failed to fix certain issues appropriately," he said. "Customers aren't doing anything wrong. It's the tools themselves that are faulty."

In the April CPU, on all platforms, new Java classes supplied to fix SQL injection vulnerabilities in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE were not actually loaded

Opatch often fails for various reasons. "Permissions are wrong; files that are to be patched are still in use; environment variables are wrong; whatever the reason might be, and a quick search on Google reveals many more, Opatch can often fail to update the inventory"
Quotes from another interview with David Litchfield, managing director for NGS: OPatch, wherefore art thou?
Incomplete patches

Patches fail to fix the flaw

Failure to perform post installation tasks

OPatch fails to update the inventory
I will open a new post when the paper is available on the NGS site with a link for download.

Interview with Oracle Chief Security Officer - Mary Ann Davidson:
When security researchers become the problem, one of the seldom official Oracle statements about their security problems.


0 Responses to “Oracle OPatch Security Holes”

Leave a Reply

      Convert to boldConvert to italicConvert to link


About me

  • » I'm Radoslav Rusinov
  • » From Sofia, Bulgaria
  • » Employer TechnoLogica Ltd.
  • » I am working as a Database Consultant in Sofia, Bulgaria. My main professional interests are in the database area and especially in the Oracle RDBMS, including database design, development, security and administration.
  • » The views expressed on this blog are my own and do not necessarily reflect the views of my employing company and its affiliates
  • » My profile

RSS 2.0 Feed

Search This Blog with Google

Search This Blog with Free Find

powered by FreeFind

Search This Blog with Technorati

Previous Posts


Articles & Presentations

Discover Bulgaria

Oracle News & Blogs Aggregators

Oracle Resources

Remote DBA

Oracle User Groups

Oracle Blogs

Oracle Forums

Security Resources

Professional CV

Blog Statistics



               Page Rank Checker