Oracle vulnerability

I have an Oracle 10g (10.1.0.4.0) installation....

How important is the following patch..... Does anyone already applied this patch....anything to watch out for?

Oracle vulnerability:

Oracle is advising its customers to quickly apply a critical database patch the company issued last week. Security experts warn the hole could allow even unsophisticated users to take control of Oracle databases.

The patch, known as DB18, fixes a hole that affects most supported versions of the Oracle database software, including Oracle versions 8, 9 and 10. The hole is "very severe" and allows users to bypass the Oracle database's authentication and become administrative "super users," according to Shlomo Kramer, CEO of Imperva, which discovered the hole. However, Kramer and others say Oracle may be downplaying the seriousness of the threat out of concern that malicious hackers could be tipped off to the severity of the issue.

Oracle Corp. said that it patches security holes in the order of their severity and categorized DB18 as a serious vulnerability with the potential for wide impact in the January Critical Patch Update [CPU], according to an e-mail statement.

The security hole is part of the standard user authentication mechanism used by Oracle database clients, according to information published by Imperva.

That authentication consists of two separate client requests and server responses.

By manipulating a variable in one of those requests that is used to set the language and location of the client, ordinary users with "create session" privileges can run commands as SYS, the highest-level Oracle account, Imperva said.

The patch process need be taken seriously and can be downloaded from the below site:

http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html

TIA Nirmalya

--
http://www.freelists.org/webpage/oracle-l