TeamSHATTER Researcher Credited By Oracle for Reporting Vulnerability in October 2010 Critical Patch Update

Application Security, Inc.'s Security, Risk, and Compliance Products to Support the Latest Oracle CPU Across its Product Suite

NEW YORK â"€ Application Security, Inc. (AppSec), the leading provider of database security, risk and compliance solutions (SRC) for the enterprise, today announced that one of the company's researchers from its TeamSHATTER group, Esteban Martinez Fayo has been credited by Oracle for reporting SQL Injection vulnerability CVE-2010-2145 in the 'Change Data Capture' component. Additionally, Application Security, Inc. will support Oracle's latest CPU in the latest release of its enterprise platform, DbProtect, as well as its AppDetectivePro database vulnerability scanner.

The latest CPU contains 81 security vulnerability fixes across multiple Oracle products, 7 of which are specific to the Oracle database. Out of the 7 Oracle database server vulnerabilities, one has been assigned a CVSS (Common Vulnerability Scoring System) score of 7.5 out of 10 and another vulnerability scored at 6.5. In addition, one of the database vulnerabilities may be remotely exploitable without authentication. AppSec implements support for every CPU ensuring the highest level of protection and performance for Oracle database users.

With every Oracle CPU, AppSec updates its market-leading solutions, AppDetectivePro for auditors and IT advisors and DbProtect for the enterprise with the appropriate scanning checks and monitoring filters through its monthly ASAP Update™ (Application Security Automatic Protection) process. DbProtect updates will include monitoring filters for the new security vulnerabilities, enabling customers to protect sensitive information during the deployment of new patches across their database infrastructure.

AppSec's TeamSHATTER has been providing its customers and database vendors with the most up-to-date database vulnerability information to ensure the security of information stored in databases.

In this CPU, Esteban Martinez Fayo of Team SHATTER was credited for reporting one database vulnerability: CVE-2010-2415 or SQL INJECTION IN CHANGE_SET_NAME PARAMETER TO DBMS_CDC_PUBLISH.CREATE_CHANGE_SET.

"AppSec is committed to ensuring that Oracle customers are protected with the most relevant and up-to-date vulnerability checks," said Alex Rothacker, Manager, TeamSHATTER, AppSec. "The TeamSHATTER knowledgebase is the largest and most up-to-date database vulnerability offering of its kind. By identifying and remediating critical database vulnerabilities we can ensure our customers' data is safe from internal and external threats."

AppSec's TeamSHATTER has identified the following vulnerabilities as high risk:

• CVE-2010-2415 is a SQL Injection vulnerability that allows a user with limited privileges to execute arbitrary PL/SQL as the SYS user.

According to Team SHATTER's Alex Rothacker, "Although CVE-2010-2415 is rated by Oracle with a CVSS score of 4.9, this vulnerability is more severe than the score suggests, since it allows for complete takeover of the database management system (DBMS). In certain cases the CVSS ratings for vulnerabilities do not adequately reflect the threat to critical databases. TeamSHATTER suggests that this vulnerability should be scored as a CVSS version 2 7.5."