Hey all,
Whilst analyzing Oracle's Critical Patch Update for April 2005 I noticed 
some failures in it, that meant certain issues the patch was supposed to fix 
were actually left unfixed.

One set of vulnerabilities "fixed" by the April CPU is a group of SQL 
injection bugs in DBMS_SUBSCRIBE and DBMS_ISUBSCRIBE discovered by AppSec 
Inc. On digging deeper you find that the actual source of the problem lies 
within the underlying java class files. The April CPU fails to properly load 
the newer patched classes which means that these problems can still be 
exploited. To resolve this problem, a DBA can use the loadjava command line 
utility or execute the loadjava procedure on the DBMS_JAVA package. The jar 
file to be loaded is $ORACLE_HOME/rdbms/jlib/CDC.jar. All platforms are 
affected by this problem.

On Windows, both 32bit and 64bit, a second problem exists; a vulnerability 
exists whereby an attacker can run arbitrary SQL by abusing the 
CTXSYS.DRILOAD package to gain DBA privleges. This was discovered by 
multiple persons and was initially fixed in August 2004. However, the April 
Critical Patch Update copies the updated sql script file to the wrong 
directory and if previous patches (August 2004 or January 2005) have not 
applied then you will still be vulnerable to this attack even if the April 
CPU has been applied.

These problems were reported to Oracle in early June and today they have 
released updated information about these problems. See the Metalink 
(http://metalink.oracle.com) website for more details.

<shameless plug>
I'll be speaking about patching and Oracle as part of my presentation at 
Blackhat in Las Vegas and the end of this month if anyone's interested
</shameless plug>

<shameful plug>
NGSSQuirreL for Oracle (http://www.ngssoftware.com/squirrelora.htm) checks 
for the problems I've just discussed
</shameful plug>

Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com