Oracle Issues Pile of 51 Security Patches

Oracle releases a long list of patches and scores them in a manner that some say downplays the true risks.

Oracle on Oct. 16 released 51 security fixes, including 27 patches for the beating heart of so many enterprises: the Oracle database.

In addition to that load of patches, Oracle administrators can also look forward to rolling out 11 patches to Oracles Application Server, seven to Oracle Collaboration Suite, eight to Oracle E-Business Suite and Applications, three to Oracle Enterprise Manager and three to Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.

Its not the biggest patch set the database kingpin has ever released, but its still big enough to hurt—particularly given the scant amount of information given in Oracles risk matrices and what some see as deceptively mild risk ratings due to Oracles move to the industry-standard CVSS (Common Vulnerability Scoring System) Version 2.0 scoring.

"The highest vulnerability rating [out of all 51 patches] is 6.5 out of 10," Amichai Shulman, director of the Application Defense Center and chief technology officer for Imperva, based in Foster City, Calif., said in an interview with eWEEK. He was referring to Oracle Database vulnerability DB01, which is easy to access and yet could lead to a complete database server takeover, according to Oracles risk matrix.


Click here to read about why Oracle was third on a list of the software vendors whose products have the most security vulnerabilities.

According to Oracles matrix, DB01 has Confidentiality, Integrity and Availability as all rated Partial+. Partial+ is a term invented by Oracle since CVSS only defines "Partial" and "Complete." In Oracles MetaLink note about the use of CVSS, the company presents its interpretation, in which "Complete" will never be used unless the exploit directly leads to a takeover of the operating system as well. Oracle has invented "Partial+" to indicate an overall effect on the database server without effect on the underlying operating system, Shulman said.

Given the fact that DB01 thus entails database compromise, "I find it strange that this vulnerability, which in all aspects seems very severe, receives a relatively low score," Shulman said.

DB20 and DB19 are also vulnerabilities that may inflict denial of service on an Oracle database server without any authentication required, yet they are both rated 5 on a score of 1 to 10. "Theres something about this scoring method that tends to draw the scores down," Shulman said.

In fact, seven of Oracles database patches are for vulnerabilities that require no special privileges whatsoever to exploit. What that means, Shulman said, is that there are no easy workarounds for the vulnerabilities.

"Weve become used to a lot of vulnerabilities that require execute privileges on a specific package. These can have easy workarounds if you deny access to a package or a stored procedure and leave only administrators with the power to execute those stored procedures. But if you look at todays patches, youll see that out of all the vulnerabilities, almost 15 require no special privileges, only the ability to connect to the database server. So theres clearly no workaround," he said.

Shulman is "strongly" advising Oracle administrators to study the details of each exploit when assessing the patch set, rather than looking at the score. "The score in my opinion is very misleading," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.