Oracle Security Alert #48

Similar Messages

• TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

  Hi,
  I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
  Can you guys please advise.
  Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
  Oracle Security Alert for CVE-2012-1675
  Thanks

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• Oracle Security Alert for CVE-2012-1675

  Hi,
  I want to know more about recent release "Oracle Security Alert" : http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
  Document available in https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1453883.1
  Fix is about Class of Secure Transport (COST). I need to know about elaborate steps to find out whether this change is need to apply to my databases or not.
  About my DBs : 10.2.4 , AIX, Nondefault Listener, Shared env , non RAC, local_listener is null & running in pfile.
  Thx,
  Gowin.

  Hello;
  Apply it. Very clean. Simple. No outage on Non-RAC. Biggest Impact is listener stop and start. Took about 3 minutes per server.
  Tested today and had zero issues. ( Assumed you understood a CONNECT was part of the test ). Zero issues.
  Had a thread on this here a few days ago :
  Oracle TNS Poison vulnerability
  See Oracle Support Note 1453883.1 for additional information.
  Best Regards
  mseberg
  With all due respect this isn't very hard. Make a decision.
  Edited by: mseberg on May 2, 2012 7:13 AM

• Java error - Oracle Security Alert for CVE-2010-4476

  I have come across this security alert described at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.htm l
  In summary - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.
  This vulnerability affects:
  Java SE
  JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
  JDK 5.0 Update 27 and earlier for Solaris 9
  SDK 1.4.2_29 and earlier for Solaris 8
  Java for Business
  JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
  JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
  SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
  Java for MacOS X 10.6 update 3 updates Java to SE 6 to version 1.6.0_22.
  Is anyone aware of new Java update for Mac that will fix this problem? If one doesn't exist, does anyone know when a new update will be available?
  Thanks.

  Hi Hussein,
  have you applied this? Please can you update?
  Our environment: 11.5.10.2 (9.2.0.7)running on HP-UX PARISC. We are using Jinitiator. We are not yet migrated to J2SE Plugin.
  So, since the sercurity patch is for JRE, is that still required for our environment?
  Please advise?
  Edited by: oraDBA2 on Feb 13, 2011 9:12 PM

• Oracle Security Alerts via e-mail

  Hi -
  I'm trying to figure out how to get Oracle to send security alerts to me via e-mail, instead of my having to go to the web site (http://otn.oracle.com/deploy/security/alerts.htm).
  Thank you!!

  Hi Anand,
  Go thru this link for establising a HTTP Connection to the external mail server
  http://help.sap.com/saphelp_47x200/helpdata/en/ae/71583ca544eb51e10000000a114084/content.htm
  >><i>where do I do I maintain the e-mail address to which theses alerts to be forwarded</i>
  <b>The steps are as follows</b>:
  1)Select the Alert Category and Check the “Additional configurations” and execute it.
  2)In the pop-up window,
  Under <b>Fixed recipients</b>, give the name of a <b>Fixed Recipient User</b>(the user shd present in su01).
  3)And press the Create Alert Button
  The e-mail address of the fixed recipients is taken from SU01 (User Management).Plz chk the email id is present there for the recieptents.
  Hope it helps.
  Regards
  Arpit Seth

• Security Alert # 68 Question

  I have 8.1.7.4 on Windows 2000 server.
  Does patch 8.1.7.4.16 correct the Oracle Security Alert #68? The readme file does not state any information about this alert.

  Patch 8.1.7.16 is patch number 3820881 and the original patch for alert #68. 8.1.7.17 (3709700) is cumulative and therefore supersedes 8.1.7.16 , which means alert #68 is addressed.
  Patchsets are major patches like 8.1.7.4 and should be always applied, patches like 8.1.7.4.17 have to be applied only if your applications are affected by the bugs described in the README file.

• Alert #68: Oracle Security Update

  Hi All ,
  I am new to the world of Oracle EBS and I was recently assigned the DBA task in my company for the ebs 11.5.10.2 that was installed be a former DBA .
  Our security department are following up on a security update by oracle in the link .
  http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
  I see that my database is version 9.2.0.6 so I do not think I need to do anything there . Is that true ?
  For the application server , Can someone help me to find what version I have ? Also , How do I apply the patch if needed .
  I also do not know if the former DBA already installed the patch or not how do I find out ?
  Thanks

  Saeed,
  You do not need to install any iAS rollup patch since you are on the latest one.
  For Oracle HTTP Server security patches, you need to have Patch 3835781 installed. This is already explained in the following notes:
  Note: 281189.1 - SECURITY ALERT #68 - Oracle Security Update (Patch Availability Matrix)
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=281189.1
  Note: 283402.1 - How to Patch Application Server for Security Alert 68 - Specific Examples
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=283402.1
  Note: 282426.1 - Security Alert #68 - FAQ for Oracle Application Server Products
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=282426.1

• Can not see 5 security alert on OTN

  I can not see following alerts since 5/16/2003 from the URL
  http://otn.oracle.com/deploy/security/alerts.htm
  Could OTN please check to see what happend?
  oracle connection manager control SUID vulnerability
  oracle internet directory buffer overflow vulnerabilities
  oracle internet application server and web/portal vulnerabilities
  oracle enterprise manager backup and recovery vulnerability
  oracle SQL*net and net8 listener vulnerability

  Thanks- this was fixed.
  OTN

• Wrong PDF on Security Alerts Page

  On the Security Alerts page (http://otn.oracle.com/deploy/security/alerts.htm) there is a link next to "Buffer Overflow Vulnerability in Oracle9iAS Reports Server Alert #35, 05 June 2002" which links to a document called http://otn.oracle.com/deploy/security/pdf/reports6i_alert.pdf
  This document is actually a copy of the document for a different vulnerability "Buffer Overflow Vulnerability in Oracle Net (Oracle9i Database Server) Alert #34, 05 June 2002"
  Please fix it so we can read about the 9iAS Reports Server Alert!
  Thanks,
  -Otto

  Hi Otto,
  This should now be fixed on OTN but please let us know if you encounter any difficulties.
  Regards,
  OTN Team

• Oracle Security Vulnerabilities?

  Hi all,
  We're running many PHP 5.x applications in a distributed environment that use the OCI client to access Oracle 10g databases.
  Our server administration group is migrating to a new server and is refusing to install or support the OCI Instant client under Linux saying it's a security problem. Specifically, they say that the OCI Instant Client is exposed to buffer overflows and stack smashing. Their recommendation? Rewrite all our apps to use another database. Yeah, right.
  They provided me with two sources to explain the issues:
  http://www.dummies.com/WileyCDA/DummiesArticle/id-2900.html
  and
  Re: Problems with libclntsh.so.10.1 and PHP/Apache HTTPD
  Is this really a security problem? If so, what can be done to mitigate the risk?
  Thanks,
  John

  Hi all,
  I thought I’d jump in this thread with a few thoughts.
  Security flaws unfortunately affect software, both commercial and open source. I believe that what sets Oracle apart from many other vendors is the company’s commitment to security. Oracle Software Security Assurance (http://www.oracle.com/security/software-security-assurance.html) includes the most transparent vulnerability remediation policy in the industry. Furthermore, the Critical Patch Update (CPU) process (http://www.oracle.com/technology/deploy/security/alerts.htm) provides a predictable mechanism for the remediation of security vulnerabilities in Oracle software. By comparison, open source involves unpredictable releases of security fixes.
  Now, getting back to the discussion in this thread: as much as we try to prevent vulnerabilities during development, as is the case with all large software products, some make their way into released code. As vulnerabilities are discovered, Oracle fixes them in order of severity and release fixes for them through the Critical Patch Update.
  An attacker could attempt to exploit the unpatched vulnerabilities through OCI or other protocols providing access to the database (This is not specific to OCI). Oracle’s recommendation is therefore to remain current on the Critical Patch Update (the last one was issued on July 17, 2007). Keep in mind that the CPU is cumulative for the database, and applying the most recent CPU will bring you at current security patch level, and this will significantly contribute to improving your organization’s security posture.
  Do not hesitate to contact me if you have questions at [email protected]
  Sincerely
  Eric Maurice
  Manager – Oracle Software Security Assurance

• Security alert 68

  Has anyone applied ptach for security alert on windows 2k oracle9i? Can you share your installation procedure?
  I find instructions from oracle very sloppy?
  Thanks

  Patch 8.1.7.16 is patch number 3820881 and the original patch for alert #68. 8.1.7.17 (3709700) is cumulative and therefore supersedes 8.1.7.16 , which means alert #68 is addressed.
  Patchsets are major patches like 8.1.7.4 and should be always applied, patches like 8.1.7.4.17 have to be applied only if your applications are affected by the bugs described in the README file.

• How to disable Security Alert popup each time for trusted site in IE on Win XP

  A user is using slow computer running with Windows XP SP3 and Java 7 update 45 version.
  When user open this site www.rocars.gov.hk in Internet Explorer 8, it will wait around 2 minutes to disaply security alert popup windows.  Then user needs to click Y to continue. Actually this website is trusted. How can I disable the security alert popup each time?
  I ever asked the technical support from www.rocars.gov.hk and they replied this issue is related to Java. So I ask here.

  918ee531-e393-4945-a46c-cd83c779af9a wrote:
  A user is using slow computer running with Windows XP SP3 and Java 7 update 45 version.
  When user open this site www.rocars.gov.hk in Internet Explorer 8, it will wait around 2 minutes to disaply security alert popup windows.  Then user needs to click Y to continue. Actually this website is trusted. How can I disable the security alert popup each time?
  I ever asked the technical support from www.rocars.gov.hk and they replied this issue is related to Java. So I ask here.
  what does problem have to do with Oracle DB?

• Critical Patch Updates and Security Alerts in June?

  I just got an alert for CPU and was wondering whether this is the July CPU - has anybody gotten this alert? See link here:
  http://www.oracle.com/technetwork/topics/security/alerts-086861.html

  Hi;
  You could get email from oracle which is mention warning&notification etc. about CPU.
  As you know CPUs are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:
  19 July 2011
  18 October 2011
  17 January 2012
  17 April 2012
  Regard
  Helios

• Update JDK:Java Security alerts and CPU patching

  what should we do if we already have updated the JDK in various oracle database homes? Should we revert / downgrade to JDK back to the original version or let stay with updated versions per previous Java Security alerts and CPU patch availabiltiy notes? as in MOD doc id:1449674.1

  CPU is a quarterly update containing all (security) patches that are important but do not need immediate implementation. Other alert patches are more important and should be immediatly implemented.

• OBIEE Security Alerts

  Is there a metalink note which lists all CPU or security alerts for the OBIEE product?
  We are currently applying the latest security patches for our various oracle products but cannot find any listing for OBIEE

  I don't think there're any security patches for OBIEE, at least I'm not aware of any. I think that OBIEE isn't a security threat in itself, as long as your servers are secure.