RE: April CPU 2014

From: Sayan Sergeevich Malakshinov <malakshinovss_at_psbank.ru>
Date: Wed, 30 Apr 2014 16:30:08 +0400
Message-ID: <OFBF497044.89DFD518-ON44257CCA.004351B4-44257CCA.0044AD41_at_psbank.ru>



BTW, another one security vulnerabity was fixed in one of the latest patches(there is no this vulnerabity, at least, after January exadata patch bundle and CPUAPR2014), that allows to update/delete/insert on tables with "select" grant only.
I found it later than it was fixed in main codeline, but this vulnerability wasn't listed in CPU advisories.
--
Best regards,
Sayan Malakshinov
http://orasql.org
root_at_xt-r.com

oracle-l-bounce_at_freelists.org wrote 2014-04-30 15:47:45:

>
> April CPU 2014
>
> Hello List,
>
> April CPU 2014 for DB will be of interest for high security environments
i.e. two privilege escalations I found have kindly been fixed by Oracle.
>
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixDB
> There are details about the fixed issues in the book just released
http://www.apress.com/9781430262114 - though it is mainly about defence both in
> terms of using CC to reduce risk on large estates, and also how to make
privileged access controls like breakglass more effective, which again will
> be of interest for the sec minded folks wanting to make their DB
environments safer.
>
> Cheers,
> Paul
> www.oraclesecurity.com
-- http://www.freelists.org/webpage/oracle-l
Received on Wed Apr 30 2014 - 14:30:08 CEST

Original text of this message