Researcher: Oracle Patch Set Flawed Again

A security researcher has reported that Oracle's most recent quarterly cumulative patch update leaves some flaws exploitable.

A security researcher has reported that Oracles most recent quarterly cumulative patch update, released on Tuesday, leaves some flaws exploitable.

David Litchfield, a security research with Next Generation Security Software Ltd., was in the process of auditing the CPU when this story was posted.

Litchfield on Wednesday evening posted to BugTraq a message saying that the patch is still lacking.

"Having downloaded and given the Oracle October patch a cursory examination, some of the flaws Oracle told me were being fixed, remain exploitable," he wrote. "Once again the patch is not sufficient. I will conduct a full investigation of the patch over the coming few days and post some recommendations once complete."

The October CPU, a set of 23 patches, is intended to close 85 security vulnerabilities in Oracle databases, servers and enterprise applications.

Seven of the 23 patches involve aspects of the companys flagship database, Oracle 10g, including fixes for the main server itself, Grid Control, Application Server, Collaboration Suite and Database Control products.

Patches are also included for the Oracle 9i and Oracle 8i database servers.

PeopleSoft Enterprise Tools and PeopleSoft CRM also have new patches, as does JD Edwards EnterpriseOne/OneWorld XE.

Litchfield and other security researchers have taken Oracle to task repeatedly over the past few years regarding vulnerabilities remaining unpatched for long periods of time, as well as regarding patches that dont fix what theyre supposed to.

Oracle in July admitted that both its April and June CPUs were flawed.

/zimages/6/28571.gifLitchfield has found that 76 percent of surveyed database servers have anomalies between expected and actual patch levels. Click here to read more.

Oracle Chief Security Officer Mary Ann Davidson went on the defense shortly thereafter, penning an article dismissing the motives of security researchers who point out vulnerabilities—a rare moment for Oracle, which usually keeps security details close to the vest and doesnt often stoop to answer criticism on matters of security.

The company did not respond to a request for comment on the most recent allegations of flawed patch sets.

Oracle customers, for their part, are generally nonplussed by the news that patch sets arent perfect.

"Any DBA worth her salt has identified and resolved these issues," one reader wrote in feedback to an earlier article about Oracles security woes. "In the real world of software administration people do not expect everything to work as prescribed all the time. ... This is part of the reason why good IT people are [paid] so much."

Indeed, users tend to report having their Oracle databases locked down tight, saying that they dont find the bugs as troublesome in reality as they are in headlines.

However, not all are so sanguine. Litchfield has told that he has plenty of clients who use Oracle and run databases that are exposed to the Internet. In particular, he has cited universities databases as being more exposed and thereby more susceptible to vulnerabilities than the general population of Oracle users tend to be.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest database news, reviews and analysis.