Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database

    Oracle Confirms Holes in Two Latest Patch Sets

    By
    Lisa Vaas
    -
    July 22, 2005
    Share
    Facebook
    Twitter
    Linkedin

      After releasing a patch earlier this month for a faulty April Cumulative Patch Update, Oracle Corp. now says its patched patch also needs to be fixed. In addition, its July patch set is flawed, according to an e-mail that its Global Product Support division sent out last week.

      Oracle had initially attempted to fix the faulty April patch set after David Litchfield, managing director at U.K.-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention. As it turned out, the underlying vulnerability had never been fixed.

      The April Critical Patch Update addressed 70 security flaws in Oracle database and application server products, but during routine testing, Litchfield discovered that the patch was sending scripts to the wrong directory and that the source of the actual flaw was not addressed.

      In early July, Oracle customers received an e-mail that said a step was missing in the installation script of the April CPU that caused a jar file not to be uploaded to the database. Oracle, it turns out, misstated one of the affected products: Database 9.2.0.6 was unaffected, and no fix is required.

      But Oracle for a second time didnt get it right. The fix for the faulty patch set didnt work, according to an e-mail sent to customers from Oracle Global Product Support on Thursday night. “It was discovered that the steps provided earlier did not rectify the problem completely,” the company said in the e-mail.

      Those who have applied the July CPU should be all set—with regard to the faulty April patch set, that is.

      But the July patch itself, according to Oracle, is flawed. Oracle Global Product Support last week sent out an e-mail telling customers that those who have already applied the Critical Patch Update for July must now re-download it for Oracle Database 10.1.0.3 and 10.1.0.4.

      The reason for the second download is that Oracle discovered a flaw that would cause a manually created database to be shown in a pending state when it is discovered by Oracle Enterprise Manager. The flaw affects all platforms, but it is only relevant for those customers who use EM to monitor Oracle installations.

      Alexander Kornbrust, founder and CEO of Red-Database-Security GmbH, a company that specializes in Oracle security audits, said that Oracles patching process is clearly “a complete mess.”

      “This is an indication that the quality of the patches is not so good,” he said. Kornbrust this week went public with details of six unpatched vulnerabilities, some critical, in Oracle products after waiting more than 700 days for Oracle to address the issues.

      Oracle reportedly has also failed to mention the patch flaws on the Oracle Technology Network. Kornbrust said that this approach to communicating vulnerabilities and patch reissues is in itself problematic, given that Oracles e-mail could inadvertently get waylaid by spam filters. Also, without mention on OTN, customers have no way of verifying that e-mail is from Oracle and is not spam, he said.

      “If the e-mail is accidentally deleted, then this information is never on the [OTN],” he said. “And theres no chance to verify if this e-mail is correct.”

      Oracle did not respond to requests for comment. But Kornbrust said that he and Pete Finnigan, founder of PeteFinnigan.com Ltd., a British company that specializes in Oracle and security, dont view the e-mails as phishing attempts, since its not necessary to enter e-mail addresses or to hand over other identifying information.

      Oracle is notoriously tight-lipped about its security patches. In this case, it may be niggardly in distributing the information because few customers are affected, Kornbrust suggested, given that the July CPU has only been out for a short while, and few people would have downloaded it already.

      “Most DBAs [database administrators] I know are very busy, and they wait,” he said. “They know from experience that its better to wait a few days before applying these patches and downloading these patches. Its typical for Oracle to change patches afterwards.”

      While it might seem risky to leave a database server unpatched when there are known critical flaws in circulation, most Oracle servers are tucked into intranets as opposed to being exposed on the Internet, where theyre most vulnerable, Kornbrust said.

      Check out eWEEK.coms for the latest database news, reviews and analysis.

      Avatar
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×