In its quarterly Patch Tuesday update on July 19, Oracle released a total of 78 security patches that encompass nearly every type of product in its portfolio.
Strangely enough, about a half-dozen of the patches cure vulnerabilities that Oracle itself created with its own faulty security products, a database security researcher who produces a security product that competes with Oracle’s told eWEEK.
Oracle fixed 13 problems in its flagship database in the next Critical Patch Update, the company said in its CPU prerelease announcement July 14. Of the fixed issues, Oracle classified 27 vulnerabilities as critical or issues that may be exploited remotely without requiring a user name or password.
“This is a very large set of patches for vulnerabilities that expose nearly every running Oracle database in the world to fairly trivial attacks that allow somebody to either knock the database down or take complete control of the database and all the data inside of it,” Josh Shaul, CTO of New York City-based Application Security, told eWEEK. AppSec, as it is known, makes DBProtect, an independent database security product.
And that’s not the worst of it, Shaul said. Amazingly, Oracle itself is the culprit in enabling many of these vulnerabilities to exist, Shaul said.
“Most of the worst of these vulnerabilities are introduced into your system when you install Oracle’s add-on security products,” Shaul said. “So when you buy a product like Oracle Database Vault and Oracle Secure Backup, it turns out that you’re introducing some pretty horrendous vulnerabilities into your database.”
How in the world does this happen?
“It just comes down to bad coding practice and, frankly, laziness,” Shaul said. “Software vendors oftentimes don’t do their due diligence from a security perspective before they put releases out there. I know Oracle specifically has a security process that they use. Clearly that process is not effective.”
It appears that Oracle is relying on the security research industry to find and prioritize its security problems for it, Shaul said.
“I would say that Oracle positions itself to be a security company, but the proof is in the pudding,” Shaul said. “In the end, what we see from Oracle is this never-ending march of vulnerabilities that they’re releasing and fixing every quarter.”
Shaul said that by simply searching for the name of a particular vulnerability and clicking on the first link you see, “you almost always get to exploit code that you can literally just cut and paste and run on your machine to knock over a database.”
Shaul and his team are in the process of installing and testing the new Oracle patches to see if they work, adding that they should be done within the next couple of days to “validate that the patches actually fix the vulnerabilities.”
July’s Critical Patch Update contains updates to Oracle Database Server 11g and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle Application Server, Oracle Identity Management, E-Business suite, Supply Chain product suite and PeopleSoft. There will also be security fixes addressing security flaws in the Oracle Sun product suite, including Solaris, SPARC and VirtualBox, according to Oracle’s pre-release announcement.
“Oracle is the biggest, most popular database company in the world,” Shaul said. “They store more sensitive data than anyone. We’re pushing them hard to do a better job at securing the data that they store. We bump heads with them a lot, but it’s real important that they provide their customers with a platform that allows that data to be stored securely.”
Shaul’s advice to Oracle database admins: “Get the fixes and install them immediately.”
An Oracle spokeswoman acknowledged a request for comment on this report from eWEEK, but the company did not get back to eWEEK with a response.
Gartner Database Security Analyst Jeffrey Wheatman told eWEEK that “Oracle in the last three years has established a process for identifying and fixing vulnerabilities in the development process. What more can anybody really expect a software vendor to do?
“No software, anywhere, is 100 percent secure. There is no perfect code. I do think that Oracle does a good job of fixing the stuff when they are notified about it. And sometimes the notifications come from Application Security.”
Quarterly Updates a Challenge for Admins
Figuring out how to approach the quarterly updates can be a bit of a challenge for Oracle administrators.
The fact that the updates come out every three months and cover most of Oracle’s product portfolio means administrators have to grapple with large releases every time as they assess the impact of each patch on the products.
While Oracle assigns a base score from the Common Vulnerability Scoring System to each vulnerability, it also assigns a separate “impact” rating, which can confuse the issue for many administrators, Alex Rothacker, director of security research for Application Security’s TeamSHATTER, told eWEEK.
A security flaw gets a “Complete” impact rating only if “all software running on the machine” is affected and not just the Oracle Database Server. Otherwise, it gets a “Partial+.” Any vulnerability that would usually be considered “Complete” but doesn’t fit Oracle’s narrow definition is rated by Oracle as Partial+, Rothacker said, which seems to be a way for the database giant to downplay the severity of its vulnerabilities.
eWEEK reporter Fahmida Rashid contributed to this story. This story was updated on July 20 to clarify the fact that AppSec CTO Josh Shaul and his company produce a competing database protection product to Oracle’s.