RSS Archive Contact Us Advertise

IT Management Begins With Security
SecurityProNews > News > Security News > Oracle Patch Problems
Search:
[ news_security_news ]

Oracle Patch Problems



John Stith
Staff Writer
2005-11-10

SecurityProNews: News RSS Feed Security News RSS Feed


It seems like everyone is having patch problems. On Tuesday, NGSResearchers discovered problems in Oracle's most recent Critical Patch Update. The biggest problem stems from the patch's failure to install the Oracle Text components on Oracle 8.1.7.4 on all operating systems.

SELECT DBMS_REGISTRY.SCRIPT('CONTEXT','@ctxcpu.sql')....

the install script executes

SELECT DBMS_REGISTRY.SCRIPT('CTX','@ctxcpu.sql')....

So, even if you have Oracle Text installed the patch installer will not
install the updated PL/SQL packages. The fall out from this means that your
servers may still be vulnerable to the Oracle Text flaws; these allow a low
privileged user to gain DBA privileges. Further, if the RDBMS is part of a
web application that uses Oracle Portal (OAS, IAS, Oracle HTTP Server) then
an attacker may exploit this from the Internet without a userID and
password.

To check if you are still vulnerable execute the following query

select owner,package_name,object_name from all_arguments where owner =



'CTXSYS' and package_name = 'DRILOAD' and object_name = 'VALIDATE_STMT';

If no row is returned then you are not vulnerable but if a row is returned
then you are vulnerable. In this case you should manually apply the
ctxcpu.sql script.

NGSSQuirreL for Oracle, the leading vulnerability assessment scanner for
Oracle RDBMSes, checks for these problems as well as the other many issues
that still afflict Oracle. More information about NGSSQuirreL can be found
here - http://www.ngssoftware.com/squirrelora.htm

They did comment later though that Oracle is improving their updates and Oracle is "beginning to treat security properly."

This is just another in a series from large tech companies who are having real problems with their patches. Microsoft has had problems with their last three patches. In additional to Oracle, Symantec has also had problems and there are others. It would seem they need to improve their patchworking ability.


About the Author:
John is a staff writer for SecurityProNews covering cyber security.

More news_security_news Articles

SecurityProNews: News RSS Feed Security News RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2008 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds