In
its quarterly Patch Tuesday update on July 19, Oracle released a total of 78
security patches that encompass nearly every type of product in its portfolio.
Strangely
enough, about a half-dozen of the patches cure vulnerabilities that Oracle itself created
with its own faulty security products, a database security researcher who produces a security product that competes with Oracle's told eWEEK.
Oracle
fixed 13 problems in its flagship database in the next Critical Patch Update, the
company said in its CPU prerelease announcement July 14. Of the fixed
issues, Oracle classified 27 vulnerabilities as critical or issues that may be
exploited remotely without requiring a user name or password.
"This
is a very large set of patches for vulnerabilities that expose nearly every
running Oracle database in the world to fairly trivial attacks that allow
somebody to either knock the database down or take complete control of the
database and all the data inside of it," Josh Shaul, CTO of New York
City-based Application Security, told eWEEK. AppSec, as it is known, makes DBProtect, an independent database security product.
And
that's not the worst of it, Shaul said. Amazingly, Oracle itself is the culprit
in enabling many of these vulnerabilities to exist, Shaul said.
"Most
of the worst of these vulnerabilities are introduced into your system when you
install Oracle's add-on security products," Shaul said. "So when you
buy a product like Oracle Database Vault and Oracle Secure Backup, it turns out
that you're introducing some pretty horrendous vulnerabilities into your
database."
How in the world does this happen?
"It
just comes down to bad coding practice and, frankly, laziness," Shaul
said. "Software vendors oftentimes don't do their due diligence from a
security perspective before they put releases out there. I know Oracle
specifically has a security process that they use. Clearly that process is not
effective."
It
appears that Oracle is relying on the security research industry to find and
prioritize its security problems for it, Shaul said.
"I
would say that Oracle positions itself to be a security company, but the proof
is in the pudding," Shaul said. "In the end, what we see from Oracle
is this never-ending march of vulnerabilities that they're releasing and fixing
every quarter."
Shaul
said that by simply searching for the name of a particular vulnerability and
clicking on the first link you see, "you almost always get to exploit code
that you can literally just cut and paste and run on your machine to knock over
a database."
Shaul
and his team are in the process of installing and testing the new Oracle
patches to see if they work, adding that they should be done within the next
couple of days to "validate that the patches actually fix the
vulnerabilities."
July's
Critical Patch Update contains updates to Oracle Database Server 11g and 10g,
Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle
Application Server, Oracle Identity Management, E-Business suite, Supply Chain
product suite and PeopleSoft. There will also be security fixes addressing
security flaws in the Oracle Sun product suite, including Solaris, SPARC and
VirtualBox, according to Oracle's pre-release announcement.
"Oracle
is the biggest, most popular database company in the world," Shaul said.
"They store more sensitive data than anyone. We're pushing them hard to do
a better job at securing the data that they store. We bump heads with them a
lot, but it's real important that they provide their customers with a platform
that allows that data to be stored securely."
Shaul's
advice to Oracle database admins: "Get the fixes and install them
immediately."
An Oracle spokeswoman acknowledged a request for comment on this report from eWEEK, but the company did not get back to eWEEK with a response.
Gartner Database Security Analyst Jeffrey Wheatman told eWEEK that "Oracle in the last three years has established a process for identifying and fixing vulnerabilities in the development process. What more can anybody really expect a software vendor to do?
"No software, anywhere, is 100 percent secure. There is no perfect code. I do think that Oracle does a good job of fixing the stuff when they are notified about it. And sometimes the notifications come from Application Security."
Quarterly Updates a Challenge for Admins
Figuring
out how to approach the quarterly updates can be a bit of a challenge for
Oracle administrators.
The
fact that the updates come out every three months and cover most of Oracle's
product portfolio means administrators have to grapple with large releases
every time as they assess the impact of each patch on the products.
While
Oracle assigns a base score from the Common Vulnerability Scoring System to
each vulnerability, it also assigns a separate "impact" rating, which
can confuse the issue for many administrators, Alex Rothacker, director of
security research for Application Security's TeamSHATTER, told eWEEK.
A
security flaw gets a "Complete" impact rating only if "all
software running on the machine" is affected and not just the Oracle
Database Server. Otherwise, it gets a "Partial+." Any vulnerability
that would usually be considered "Complete" but doesn't fit Oracle's
narrow definition is rated by Oracle as Partial+, Rothacker said, which seems to
be a way for the database giant to downplay the severity of its
vulnerabilities.
eWEEK reporter Fahmida Rashid contributed to
this story. This story was updated on July 20 to clarify the fact that AppSec CTO Josh Shaul and his company produce a competing database protection product to Oracle's.
IT Security & Network Security News & Reviews News & Reviews 
