Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database

    Oracle Confirms Holes in Two Latest Patch Sets

    By
    Lisa Vaas
    -
    July 22, 2005
    Share
    Facebook
    Twitter
    Linkedin

      After releasing a patch earlier this month for a faulty April Cumulative Patch Update, Oracle Corp. now says its patched patch also needs to be fixed. In addition, its July patch set is flawed, according to an e-mail that its Global Product Support division sent out last week.

      Oracle had initially attempted to fix the faulty April patch set after David Litchfield, managing director at U.K.-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention. As it turned out, the underlying vulnerability had never been fixed.

      The April Critical Patch Update addressed 70 security flaws in Oracle database and application server products, but during routine testing, Litchfield discovered that the patch was sending scripts to the wrong directory and that the source of the actual flaw was not addressed.

      In early July, Oracle customers received an e-mail that said a step was missing in the installation script of the April CPU that caused a jar file not to be uploaded to the database. Oracle, it turns out, misstated one of the affected products: Database 9.2.0.6 was unaffected, and no fix is required.

      But Oracle for a second time didnt get it right. The fix for the faulty patch set didnt work, according to an e-mail sent to customers from Oracle Global Product Support on Thursday night. “It was discovered that the steps provided earlier did not rectify the problem completely,” the company said in the e-mail.

      Those who have applied the July CPU should be all set—with regard to the faulty April patch set, that is.

      But the July patch itself, according to Oracle, is flawed. Oracle Global Product Support last week sent out an e-mail telling customers that those who have already applied the Critical Patch Update for July must now re-download it for Oracle Database 10.1.0.3 and 10.1.0.4.

      The reason for the second download is that Oracle discovered a flaw that would cause a manually created database to be shown in a pending state when it is discovered by Oracle Enterprise Manager. The flaw affects all platforms, but it is only relevant for those customers who use EM to monitor Oracle installations.

      Alexander Kornbrust, founder and CEO of Red-Database-Security GmbH, a company that specializes in Oracle security audits, said that Oracles patching process is clearly “a complete mess.”

      “This is an indication that the quality of the patches is not so good,” he said. Kornbrust this week went public with details of six unpatched vulnerabilities, some critical, in Oracle products after waiting more than 700 days for Oracle to address the issues.

      Oracle reportedly has also failed to mention the patch flaws on the Oracle Technology Network. Kornbrust said that this approach to communicating vulnerabilities and patch reissues is in itself problematic, given that Oracles e-mail could inadvertently get waylaid by spam filters. Also, without mention on OTN, customers have no way of verifying that e-mail is from Oracle and is not spam, he said.

      “If the e-mail is accidentally deleted, then this information is never on the [OTN],” he said. “And theres no chance to verify if this e-mail is correct.”

      Oracle did not respond to requests for comment. But Kornbrust said that he and Pete Finnigan, founder of PeteFinnigan.com Ltd., a British company that specializes in Oracle and security, dont view the e-mails as phishing attempts, since its not necessary to enter e-mail addresses or to hand over other identifying information.

      Oracle is notoriously tight-lipped about its security patches. In this case, it may be niggardly in distributing the information because few customers are affected, Kornbrust suggested, given that the July CPU has only been out for a short while, and few people would have downloaded it already.

      “Most DBAs [database administrators] I know are very busy, and they wait,” he said. “They know from experience that its better to wait a few days before applying these patches and downloading these patches. Its typical for Oracle to change patches afterwards.”

      While it might seem risky to leave a database server unpatched when there are known critical flaws in circulation, most Oracle servers are tucked into intranets as opposed to being exposed on the Internet, where theyre most vulnerable, Kornbrust said.

      Check out eWEEK.coms for the latest database news, reviews and analysis.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×