| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Oracle vulnerability
On 2/6/06, Nirmalya Das <nirmalya_at_hln.com> wrote:
>
> I have an Oracle 10g (10.1.0.4.0) installation....
>
> How important is the following patch.....
> Does anyone already applied this patch....anything to watch out for?
>
>
> Oracle vulnerability:
>
> Oracle is advising its customers to quickly apply a critical database
> patch
> the company issued last week. Security experts warn the hole could allow
> even unsophisticated users to take control of Oracle databases.
>
> The patch, known as DB18, fixes a hole that affects most supported
> versions
> of the Oracle database software, including Oracle versions 8, 9 and 10.
> The
> hole is "very severe" and allows users to bypass the Oracle database's
> authentication and become administrative "super users," according to
> Shlomo
> Kramer, CEO of Imperva, which discovered the hole. However, Kramer and
> others say Oracle may be downplaying the seriousness of the threat out of
> concern that malicious hackers could be tipped off to the severity of the
> issue.
>
> Oracle Corp. said that it patches security holes in the order of their
> severity and categorized DB18 as a serious vulnerability with the
> potential
> for wide impact in the January Critical Patch Update [CPU], according to
> an
> e-mail statement.
>
> The security hole is part of the standard user authentication mechanism
> used
> by Oracle database clients, according to information published by Imperva.
>
> That authentication consists of two separate client requests and server
> responses.
>
> By manipulating a variable in one of those requests that is used to set
> the
> language and location of the client, ordinary users with "create session"
> privileges can run commands as SYS, the highest-level Oracle account,
> Imperva said.
>
> The patch process need be taken seriously and can be downloaded from the
> below site:
>
> http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html
>
> TIA
>
> Nirmalya
> --
> http://www.freelists.org/webpage/oracle-l
Nirmalya,
Please refer to Metalink Note:343384.1.
At this point You might want to consider waiting for the 10.1.0.5 patchset and its one-off patch for your OS.
10.1.0.5 Windows32: Patch 1 (4882231) or later - ETA : 10-Feb-06
Make sure that you read the entire readme.html for the patchset/patch and use the most recent version of OPatch.
Patch 2617419 (24-JAN-2006 v1.0.0.0.55)
If you do elect to apply the patch for 10.1.0.4, you might want to consider applying Patch 10 - 4925998
10.1.0.4 Windows32: Patch 9 (4751259) or later
If you have additional questions - an Oracle Support Analyst might be your
best bet.
Read the readme files.
Test in a test environment.
Paul
*
*
-- http://www.freelists.org/webpage/oracle-lReceived on Tue Feb 07 2006 - 11:25:14 CST
 |
 |