Wed 21 Oct 2009
Oracle has released the October CPU with 38 announced security fixes (and more under the covers). 16 database vulnerabilities out of which a mind blowing 6 may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Also, 3 of those will allow you to completely compromise the machine!
If you have one of the mentioned versions (188.8.131.52, 10.1.0.5, 10.2.0.4) you know you need to patch!
It’s also important to understand that if you have any 9i, 10gR1 or 10gR2, you’re vulnerable. Oracle just provides CPUs to the latest patch-sets.
The usual suspects are present in the credits – Alex, David, Joxean, Dennis, Cesar, Alexandr, Laszlo – good stuff.
Sentrigo was given credit for both discovering vulnerabilities and for security in depth. Way to go, Red Team!
Of course, Sentrigo customers are already protected against many of the vulnerabilities using our own vPatches and we will release updated vPatches to cover the others.
In this case, my advice is not even to wait a week to make sure that there are no issues with the patch since the vulnerabilities are so severe. Patch as soon as possible – but only after ensuring that your applications are not breaking.
No Responses to “ Oracle October 2009 CPU ”
Sorry, comments for this entry are closed at this time.