Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Networking

    Oracle Accused of Downplaying Database Flaws, Severity

    By
    Fahmida Y. Rashid
    -
    January 17, 2012
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Even as Oracle fixed numerous flaws across multiple products in January’s Critical Patch Update, security experts criticized the company for the low number of database fixes and claimed the company is downplaying the severity of a flaw in its flagship relational database.

      Only two patches were for the Oracle Database out of the 78 security fixes in the January update, which also covered the Oracle Fusion Middleware, Oracle e-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle JDEdwards, Oracle Sun products, Oracle Virtualization and Oracle MySQL, the company said in its CPU advisory released Jan. 17.

      “Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process,” Amichai Shulman, CTO of Imperva, told eWEEK.

      As Oracle expands its product portfolio and increases the total number of products patched through the quarterly CPU, there appears to be a “bottleneck” in Oracle’s patching process, Shulman said. This CPU was the first time Oracle included the open-source MySQL database, which it acquired in 2010 as part of the Sun Microsystems acquisition.

      While MySQL accounted for a whopping 27 fixes, the overall number of vulnerabilities in the CPU remained consistent with previous releases, according to Shulman. “If you were to introduce a new product, there should be more vulnerabilities in the CPU,” he said.

      The low number of Oracle database fixes is most likely a sign of Oracle shifting its focus and “de-emphasizing” the entire database line, Alex Rothacker, director of security research at Application Security’s TeamSHATTER, told eWEEK. Oracle has been consistently decreasing the number of database-related fixes in its CPU since January 2010, shortly after the Sun deal closed, he said. The company released only 34 fixes for Oracle Database Server in all of 2011.

      Of the nine reported vulnerabilities TeamSHATTER has open with Oracle, several of them are “at least as severe as those that were fixed in this CPU,” Rothacker said.

      Oracle claimed there were fewer issues to fix in its software. The Oracle Database Server code has “matured,” and many of the vulnerabilities have been weeded out, Eric Maurice, director of Oracle’s security assurance program, wrote in the Oracle Software Security Assurance blog on Dec. 15.

      Oracle has also introduced a secure coding initiative, similar to Microsoft’s Security Development Lifecycle, which has resulted in fewer bugs in new code, according to Maurice.

      Security Experts Say Database Flaws Remain a Serious Threat

      “Unless circumstances change drastically-as a result of, for example, the discovery of new exploit vectors-we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at a relatively lower level than previously experienced,” Maurice wrote.

      Although Oracle is telling customers the database platform is secure because fewer flaws are being found, that “just isn’t the case,” according to Rothacker. TeamSHATTER continues to report a similar number of vulnerabilities, but Oracle is fixing fewer of them, he said. “By fixing less, they are leading people to believe they are more secure,” Rothacker said.

      Oracle is also continuing to “undervalue the severity of their reported vulnerabilities,” Shulman said, noting that a Solaris vulnerability fixed in this CPU had a Common Vulnerability Scoring System rating of 7.8, but similar issues in the Oracle Database Server and MySQL scored “just a 5.5.”

      The vulnerability in the Database Server’s Core RDBMS component (CVE-2012-0082), with its 5.5 CVSS rating, is “probably more severe” than Oracle made it sound in the advisory, Rothacker said. The issue affects Oracle Database versions 10.1.05 to 11.2.0.3 and was a “flaw in Oracle’s flagship database software that could have serious repercussions for Oracle database customers, potentially compromising the security and stability of Oracle database systems,” InfoWorld reported Jan. 17.

      Oracle uses the System Change Number to keep track of database activity, including inserts, updates and deletes into the tables, and it is necessary for the database to properly return the appropriate version of data at any given point in time. InfoWorld disclosed to Oracle several ways the SCN can be artificially incremented, causing the database to become unstable or unavailable.

      While the flaw could make any unpatched Oracle Database customer vulnerable to malicious attack, the “more fundamental aspect” of the issue poses “a special risk only to large Oracle customers with interconnected databases,” according to InfoWorld.

      The side effects for this fix “could be difficult to implement at all customer sites,” Rothacker said.

      The SCN issue is a good example of how Oracle’s “Partial+” ranking “artificially plays down the severity” of the vulnerability, Shulman said.

      According to Oracle, a vulnerability’s impact is only considered “Complete” if “all software running on the machine” is affected, not just the Oracle Database Server. If the issue impacts just the database server, the company rates it as “Partial+” to indicate it was more serious than other issues with just a “Partial” rating. This distinction defies “common sense” because in most real-world installations, the database server is the sole software running on a given computer besides the operating system, according to Rothacker.

      Oracle should rethink its Partial+ ranking, Shulman said.

      Fahmida Y. Rashid

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      10 Best AI 3D Generators 2023

      Aminu Abdullahi - November 17, 2023 0
      AI 3D Generators are powerful tools for creating 3D models and animations. Discover the 10 best AI 3D Generators for 2023 and explore their features.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×