3400 Bridge Parkway, Suite 101
94065 Redwood Shores, CA, us
+44 (207) 183-2839
Oracle needs to provide work-around instructions as well as patching, says Imperva CTO
This one has 88 patches. Only four issues are in the Oracle database server whereas six are in MySQL database server. Key observations regarding the four database vulnerabilities, two are interesting:
One vulnerability is severe, ranking 9 on a 10 scale. What is significant about this issue? It is the most severe even though exploiting it requires authentication. In this case, the vulnerability is in a component that is installed by default and known to have been vulnerable in the past on more than a few occasions. What does this component do? It allows users to do geometric searches. However, geometric search is not used very widely. Since the geometric search isn't used very much, so Oracle should recommend, for example, removing the package altogether so only those who need it are exposed to it.
The second vulnerability is a 7.1 on a 10 scale since it's a complex exploit-but this seems low. Why? This vulnerability requires two procedures: create library and create procedure. What is of most interest here it the create library capability which maps the OS module to the database-an inherently dangerous process because you could map any OS native code to be mapped as stored procedures accessible through a DB SQL session. We suspect that the vulnerability allows server takeover using uncontrolled mapping, and that the patch reduces the ability to map arbitrary modules. Regardless, a better method would be to simply not allow anyone but an administrator to perform this process"
Die Nutzung von hier veröffentlichten Informationen zur Eigeninformation und redaktionellen Weiterverarbeitung ist in der Regel kostenfrei. Bitte klären Sie vor einer Weiterverwendung urheberrechtliche Fragen mit dem angegebenen Herausgeber. Bei Veröffentlichung senden Sie bitte ein Belegexemplar an firstname.lastname@example.org.