cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Oracle Critical Patch Update Advisory - January 2015

Go to solution
Former Member

on ‎01-22-2015 8:19 PM

0 Kudos

Hello,

I would like to know if SAP is aware of vulnerabilities on Oracle 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2.

More information about very important issue (backdoor vulnerabilities) : https://threatpost.com/oracle-patches-backdoor-vulnerability-recommends-disabling-ssl/110555

Do you know when a SAP patch will be available ? It is very urgent.

Oracle Critical Patch Update - January 2015

Thank you

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

janos_mucsi-besze
Advisor
Advisor
‎02-02-2015 12:10 PM
0 Kudos

Hi Marc.

SAP is aware of these problems.

CPU January 2015 will be part of SAPs next Budle Batch. This comes out in 12. Feb. 2015.

Regards,

János

Show replies
Show replies

Answers (2)

Answers (2)

fidel_vales
Employee
Employee
‎01-25-2015 3:01 PM
0 Kudos

Hi,

CPUs are included in the PSUs and SAP release the PSUs in the SBP. Therefore the patches for the vulnerabilities will be made available.Probably on the February SBP

Show replies
Show replies
ACE-SAP
Active Contributor
‎01-23-2015 12:10 AM
0 Kudos

Hi

For sure SAP should be aware of critical security problems on Oracle before threatpost starts publishing about it !

There are guys from Oracle working with SAP teams on SAP sites/labs...

A vulnerability in the public role is not critical on a DB dedicated to SAP usage, as only SAP user (or the admin) is supposed to connect on the DB, no other user account should exist / be used. It seems that the problem only apply when using Oracle e-Business suite.

The poodle vulnerability is not a problem either for the same reason... and it is not a brand new vulnerability.

It might be a problem if you are using OEM (Poodle Vulnerability CVE-2014-3566).

I do not think these fix are urgents for Oracle DB used in an SAP environment.

I would feel more concerned with the lake of basic security rules against old problems like TNS Poisoning.

I do not see the here under basic recommendations applied that often !

1714255 - Restrict Instance Registration in non-RAC environments

186119 - Restricting DB access to specific hosts

Best regards

Show replies
Show replies
Ask a Question