Oracle Releases 78 Patches, Some for Self-Imposed Security Holes

 
 
By Chris Preimesberger  |  Posted 2011-07-19 Email Print this article Print
 
 
 
 
 
 
 

UPDATED: Strangely enough, many of the patches released on the quarterly Patch Tuesday cure vulnerabilities that Oracle itself created with its own faulty security products, a database security researcher/vendor told eWEEK.

In its quarterly Patch Tuesday update on July 19, Oracle released a total of 78 security patches that encompass nearly every type of product in its portfolio.

Strangely enough, about a half-dozen of the patches cure vulnerabilities that Oracle itself created with its own faulty security products, a database security researcher who produces a security product that competes with Oracle's told eWEEK.

Oracle fixed 13 problems in its flagship database in the next Critical Patch Update, the company said in its CPU prerelease announcement July 14. Of the fixed issues, Oracle classified 27 vulnerabilities as critical or issues that may be exploited remotely without requiring a user name or password.

"This is a very large set of patches for vulnerabilities that expose nearly every running Oracle database in the world to fairly trivial attacks that allow somebody to either knock the database down or take complete control of the database and all the data inside of it," Josh Shaul, CTO of New York City-based Application Security, told eWEEK. AppSec, as it is known, makes DBProtect, an independent database security product.

And that's not the worst of it, Shaul said. Amazingly, Oracle itself is the culprit in enabling many of these vulnerabilities to exist, Shaul said.

"Most of the worst of these vulnerabilities are introduced into your system when you install Oracle's add-on security products," Shaul said. "So when you buy a product like Oracle Database Vault and Oracle Secure Backup, it turns out that you're introducing some pretty horrendous vulnerabilities into your database."

How in the world does this happen?

"It just comes down to bad coding practice and, frankly, laziness," Shaul said. "Software vendors oftentimes don't do their due diligence from a security perspective before they put releases out there. I know Oracle specifically has a security process that they use. Clearly that process is not effective."

It appears that Oracle is relying on the security research industry to find and prioritize its security problems for it, Shaul said.

"I would say that Oracle positions itself to be a security company, but the proof is in the pudding," Shaul said. "In the end, what we see from Oracle is this never-ending march of vulnerabilities that they're releasing and fixing every quarter."

Shaul said that by simply searching for the name of a particular vulnerability and clicking on the first link you see, "you almost always get to exploit code that you can literally just cut and paste and run on your machine to knock over a database."

Shaul and his team are in the process of installing and testing the new Oracle patches to see if they work, adding that they should be done within the next couple of days to "validate that the patches actually fix the vulnerabilities."

July's Critical Patch Update contains updates to Oracle Database Server 11g and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle Application Server, Oracle Identity Management, E-Business suite, Supply Chain product suite and PeopleSoft. There will also be security fixes addressing security flaws in the Oracle Sun product suite, including Solaris, SPARC and VirtualBox, according to Oracle's pre-release announcement.

"Oracle is the biggest, most popular database company in the world," Shaul said. "They store more sensitive data than anyone. We're pushing them hard to do a better job at securing the data that they store. We bump heads with them a lot, but it's real important that they provide their customers with a platform that allows that data to be stored securely."

Shaul's advice to Oracle database admins: "Get the fixes and install them immediately."

An Oracle spokeswoman acknowledged a request for comment on this report from eWEEK, but the company did not get back to eWEEK with a response.

Gartner Database Security Analyst Jeffrey Wheatman told eWEEK that "Oracle in the last three years has established a process for identifying and fixing vulnerabilities in the development process. What more can anybody really expect a software vendor to do?

"No software, anywhere, is 100 percent secure. There is no perfect code. I do think that Oracle does a good job of fixing the stuff when they are notified about it. And sometimes the notifications come from Application Security."

Quarterly Updates a Challenge for Admins

Figuring out how to approach the quarterly updates can be a bit of a challenge for Oracle administrators.

The fact that the updates come out every three months and cover most of Oracle's product portfolio means administrators have to grapple with large releases every time as they assess the impact of each patch on the products.

While Oracle assigns a base score from the Common Vulnerability Scoring System to each vulnerability, it also assigns a separate "impact" rating, which can confuse the issue for many administrators, Alex Rothacker, director of security research for Application Security's TeamSHATTER, told eWEEK.

A security flaw gets a "Complete" impact rating only if "all software running on the machine" is affected and not just the Oracle Database Server. Otherwise, it gets a "Partial+." Any vulnerability that would usually be considered "Complete" but doesn't fit Oracle's narrow definition is rated by Oracle as Partial+, Rothacker said, which seems to be a way for the database giant to downplay the severity of its vulnerabilities.

eWEEK reporter Fahmida Rashid contributed to this story. This story was updated on July 20 to clarify the fact that AppSec CTO Josh Shaul and his company produce a competing database protection product to Oracle's.

 
 
 
 
Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel