Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Patchset information incorrect

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Oracle Corporation
And, this specific program:
Oracle Database 10.x

This thread has been marked as locked.
kenjmadsen Patchset information incorrect
Member 2nd Mar, 2012 14:47
Ranking: 0
Posts: 4
User Since: 2nd Mar, 2012
System Score: N/A
Location: US
I had just installed Oracle database client 10.2.0.3 32-bit and then applied the terminial patchset 10.2.0.5 to it. Secunia PSI flagged the patch subdirectories that backup the original files. Not the problem, as I just marked them ignore. However the warning said that the latest patchset was 10.2.0.6. There is no such database patchset and there will never be one, as it is near the end of it's support life. It will have CPU security patches, but these are within the 10.2.0.5 line.

mogs RE: Patchset information incorrect
Expert Contributor 2nd Mar, 2012 15:18
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@kenjmadsen

Hello.
Can't answer your querie/complaint concerning the 10.2.0.6 reference.

But, are you aware that even tho' you've updated....Oracle Database 10.x is still vulnerable....from what I can see of it in the Secunia Advisory here ? :
http://secunia.com/advisories/product/3387/ rated Moderately critical

It doesn't seem very wise to ignore it.

Hope the foregoing is of some help............regards...

--
Was this reply relevant?
+0
-0
kenjmadsen RE: Patchset information incorrect
Member 2nd Mar, 2012 17:20
Score: 0
Posts: 4
User Since: 2nd Mar 2012
System Score: N/A
Location: US
What I was ignoring was not the operating files as patched to 10.2.0.5, but the backup copies in their patch contents subdirectories.

C:\oracle\product\10.2.0\client_32\.patch_storage\ 5923165_MAR_6_2007_16_02_56\original_patch\files\b in\oracle.exe
C:\oracle\product\10.2.0\client_32\install\patches \5923165\files\bin\oracle.exe

Security issues after the 10.2.0.5 patchset would be addressed by the Oracle Critical Patch Updates (CPU) patches. According to Oracle, the end of patching for 10.2.0.5 is 31-Jul-2013.
Was this reply relevant?
+0
-0
mogs RE: Patchset information incorrect
Expert Contributor 2nd Mar, 2012 17:41
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@kenjmadsen.

I just wished to make sure you were aware of the info. in the Secunia Advisory.

Is it not the case tho' that the backup patchset are also vulnerable....psi having detected them ?

I don't have any personal experience of the program.....but I think I might be wary of keeping them if not an absolute necessity. Please correct me if I'm "off piste ".

Regards,

--
Was this reply relevant?
+0
-0
kenjmadsen RE: Patchset information incorrect
Member 3rd Mar, 2012 04:43
Score: 0
Posts: 4
User Since: 2nd Mar 2012
System Score: N/A
Location: US
I would think the only way to put those into play would be to have full access and uninstall the 10.2.0.5 patch. Operating files would be in the \bin directory.

There are those who make it their business to try to find ways to find vulnerabilities in Oracle Database. Most are for the programs that are actually running the database instance. To locate programs in backup dirs and execute them would certainly mean some other compromise of the host has occurred.

In my case, this is a database client installation, so the oracle.exe is unlikely to be used at all. My system is a dev system anyway, so I'm not concerned about being the target of an attack.

No harm in expressing your concerns. Those that adminster Oracle systems can work with Oracle Support to determine if there is any risk by their installation backup logic leaving old files around.
Was this reply relevant?
+0
-0
mogs RE: Patchset information incorrect
Expert Contributor 3rd Mar, 2012 05:44
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@kenjmadsen

Thankyou for the reply/explanation.

Being as a Secunia official hasn't picked up on your earlier comments regarding the 10.2.0.6 update....you could, if you wish, notify Support by e mailing ....... support@secunia.com.......with your concerns and to clarify the position.



--
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer