Just finished a review of the Oracle January 2009 Critical Patch Update/advisory (CPU).

There are two issues that you need to pay attention to with this release: If you are using Oracle Secure Backup or Weblogix Server plugins, you will want to download and patch ASAP. Here is why:

In the former case, it appears that the Fortinet team discovered a few bugs within the Oracle Backup Server that can be exploited by buffer overflow, resulting in a server crash or worse. I have not seen any specific exploits for this, but I have heard that this could result in the hacker being able to execute arbitrary code on the backup server for the Windows platform. That is bad news as not only can you tapes be overwritten, but he backup server could be used to launch attacks against other services. I am making the assumption that you are blocking port 10,000, but regardless, patch ASAP.

The second issue has to to with the Weblogic plug-in for Apache/IIS. I have asked a couple people if they understand the scope of the exploit, but none of my contacts know the specifics. If you know, please send me an email. As a matter of course I am really wary of threats to the web application stack as an attacker has many different methods to exercise vulnerabilities, and will, as soon as they learn about the vulnerability. If you are using the plug-in, patch ASAP.

The core database server does not seem to suffer any significant vulnerabilities. One of the bugs that is patched allows a user to execute certain functions and circumvent the auditing functions, so if you are using Oracle’s native audit for regulatory efforts, or to seed a Database Activity Monitoring solution, consider the patch a little higher priority. Otherwise I recommend that you patch according to your established deployment cycles.