April 2014 CPU
Hi Oracle Security Folks,
Thanks to Oracle for fixing a batch of research I sent over in August 2013 regarding ADVISOR, DIRECTORIES, GAOP(GRANT ANY OBJECT PRIVILEGE) and also a critical privilege escalation which gains 8.5 in the CPU which I am not going to publish here as I want to give folks time to patch. http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html. Both of the issues fixed in the April DB Patch are from me this time.
Note that that the CVSS 8.5 was not discussed at any conferences – it’s new. Actually the CVSS 8.5 is detailed in my new book which has just come out after the patch release, and is available from Apress http://www.apress.com/9781430262114 and Amazon http://www.amazon.co.uk/Protecting-Oracle-Database-Paul-Wright/dp/1430262117. There is some new exploit research in there but the main thrust of the book is Defense and Protection – especially using Enterprise Manager/Cloud Control to Defend an estate and how to secure privileged access control mechanisms such as breakglass. I am very honored that Jonathan Gennick Edited the book, Arup Nanda Technically Reviewed the book, and that Slavik Markovich – CTO of McAfee – wrote a kind foreword to the book as well. There have also been quite a few other folks involved whom I list in the Acknowledgements section. It’s taken a year to write so hopefully you will like it.
Anyhow more detail to come on that in the future. For now I recommend installing the patch and reading the book…though it has to be said – that was where I was 9 months ago..and the world has not stopped spinning yet…Global SCN still rising :) but hopefully no maximum in sight yet!