Oracle Patch Shows Even Long Established Programs Have Vulnerabilities
Every major release of Oracle brings a number of new components and functions, and presumably some buggy software. Like Windows admins, Oracle DBAs have learned to wait before rushing to install a major upgrade. The latest Oracle patch shows that even components that are as old as dirt can have security vulnerabilities, so even if we aren't using the newer features like spatial options, app server or database vault, we still need to patch.
From the Oracle's release:
27 new security fixes for the Oracle Database. 5 of these database vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password. No new security fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed.
The vulnerability that tops the list is in the import utility. It seems that anyone with CREATE PROCEDURE privilege could execute code as SYS (the equivalent of root in the database).
It pays to review users and assigned privileges and keep both sets as small as possible.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
