Oracle released patches yesterday. All details are -traditionally- hidden behind metalink login screens.
I counted 65 vulnerabilities (give or take a few) in the report, no workarounds for any of them have been released.
Since we're not supposed to look deeper than the surface it's very hard to add any value to what Oracle released, so be sure to get more details if you have any of their software running and make sure it gets appropriately patched ASAP.
In the past I found it helpful to print out the tables of the vulnerabilities, highlight the software and versions we were using and then going over those left with a DBA sitting next to me to determine what was to be patched how and when. Unfortunately you might run into 3rd party vendors not approving of any upgrading/patching creating a catch-22 situation.
If you run exposed (e.g. http) oracle based servers this might be one of those moments to reconsider the architecture. Yes, it's not without pain, and the developers of the application will hate you for it. But at least you get back some control over what patch goes on when, instead of being forced to rely on obscurity for months in a row.
The next scheduled batch of patches for Oracle is due on October 17th. So make sure the days after it are marked to not let the DBAs take a vacation at that time.
Disclaimer: I really do not like Oracle's handling of patches at all: I find 3 months way too long; 65 vulnerabilities to deal with in one go way too many; I hate not being able to see any details; I feel they could come up with some workarounds in those months preceding their release; I wonder how many bad guys do have and use a metalink login/password, while any self-respecting security professional cannot ... .
Thanks to fellow handler Koon Yaw Tan for noticing the release.
Swa Frantzen -- Section66
Jul 19th 2006
1 decade ago