Oracle’s Quarterly Critical Patch Update is Out

Posted in: Technical Track

The latest quarterly update came out this morning. There are oh-my-god smoking guns this time, but several medium-important patches:

CVE-2008-2607: Vulnerability in DBMS_AQELM (Advanced queueing package for e-mail and HTTP notifications)
CVE-2008-2613: Vulnerability in DBMS_SCHEDULER, requiring access to a local user in the oinstall group for exploitation
CVE-2007-1359: Remotely-exploitable vulnerability in Oracle App Server. This is an issue in the ModSecurity application firewall that was originally reported in March 2007 that allows some security checks to be bypassed given a specially-formatted string. The original advisory is here.
CVE-2008-2589: PL/SQL injection flaw in Oracle Portal. Details were posted to the full disclosure list in conjunction with the patch
CVE-2008-2594 and CVE-2008-2609: These look like two more injection flaws in Portal.

If you’re running Oracle Collaboration Suite, note that the patch blows away the login and logout pages (oops!). MetaLink note 445172.1 has info on how to restore the pages post-patch.

Interested in working with Marc? Schedule a tech call.

About the Author

Marc is a passionate and creative problem solver, drawing on deep understanding of the full enterprise application stack to identify the root cause of problems and to deploy sustainable solutions. Marc has a strong background in performance tuning and high availability, developing many of the tools and processes used to monitor and manage critical production databases at Pythian. He is proud to be the very first DataStax Platinum Certified Administrator for Apache Cassandra.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *