Security Experts Say Database Flaws Remain a Serious Threat
"Unless circumstances change drastically-as a result of, for example, the discovery of new exploit vectors-we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at a relatively lower level than previously experienced," Maurice wrote. Although Oracle is telling customers the database platform is secure because fewer flaws are being found, that "just isn't the case," according to Rothacker. TeamSHATTER continues to report a similar number of vulnerabilities, but Oracle is fixing fewer of them, he said. "By fixing less, they are leading people to believe they are more secure," Rothacker said.The vulnerability in the Database Server's Core RDBMS component (CVE-2012-0082), with its 5.5 CVSS rating, is "probably more severe" than Oracle made it sound in the advisory, Rothacker said. The issue affects Oracle Database versions 10.1.05 to 220.127.116.11 and was a "flaw in Oracle's flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems," InfoWorld reported Jan. 17. Oracle uses the System Change Number to keep track of database activity, including inserts, updates and deletes into the tables, and it is necessary for the database to properly return the appropriate version of data at any given point in time. InfoWorld disclosed to Oracle several ways the SCN can be artificially incremented, causing the database to become unstable or unavailable. While the flaw could make any unpatched Oracle Database customer vulnerable to malicious attack, the "more fundamental aspect" of the issue poses "a special risk only to large Oracle customers with interconnected databases," according to InfoWorld. The side effects for this fix "could be difficult to implement at all customer sites," Rothacker said. The SCN issue is a good example of how Oracle's "Partial+" ranking "artificially plays down the severity" of the vulnerability, Shulman said. According to Oracle, a vulnerability's impact is only considered "Complete" if "all software running on the machine" is affected, not just the Oracle Database Server. If the issue impacts just the database server, the company rates it as "Partial+" to indicate it was more serious than other issues with just a "Partial" rating. This distinction defies "common sense" because in most real-world installations, the database server is the sole software running on a given computer besides the operating system, according to Rothacker. Oracle should rethink its Partial+ ranking, Shulman said.
Oracle is also continuing to "undervalue the severity of their reported vulnerabilities," Shulman said, noting that a Solaris vulnerability fixed in this CPU had a Common Vulnerability Scoring System rating of 7.8, but similar issues in the Oracle Database Server and MySQL scored "just a 5.5."