And you thought your patched Oracle database was secure
The latest quarterly Critical Patch Update for Oracle 10gR2 does not plug a hole that allows published attack code to run.
The recent Oracle exploit posted to Bugtraq (http://www.securityfocus.com/archive/1/431353) is actually an 0day and has no patch. The patch for 10g Release 2 for April 2006 Critical Patch Update does _not_ contain a fix for the specific flaw that the exploit takes advantage of. As it happens – this specific flaw was reported to Oracle on the 19th of February 2006.
This is according to David Litchfield.
Ok! Now what?
(via digg)
Related articles:
- Oracle E-Business Suite technology stack and products cheat sheet
- Download Oracle Database 11g Release 1 Now
