Six Unpatched Flaws in Oracle Database Products

A private security research firm goes public with details after waiting more than 700 days for Oracle to release patches.

A German database security outfit on Tuesday went public with information on six unpatched vulnerabilities—some rated critical—in Oracle Forms and Oracle Reports, two widely deployed enterprise-facing products.

Red-Database-Security GmbH, a company that specializes in Oracle security audits, warned that the most serious flaw could allow a malicious hacker to use a Web browser to overwrite any file on a vulnerable application server.

Alexander Kornbrust, founder and CEO of Red-Database-Security, said three of the flaws are deemed "critical" because of the high risk they present to businesses using the affected products.

In an interview with Ziff Davis Internet News, Kornbrust said he decided to publicly release the information after waiting more than 700 days for Oracle to address the issues.

/zimages/3/28571.gifClick here to read more about Oracle recently releasing a set of 49 patches.

Kornbrust said he was expecting to find the patches in Oracles scheduled July release of "Critical Patch Updates" because of the severity and the widespread deployment of Oracle Forms and Oracle Reports.

Oracle Forms is a component of the Oracle Developer Suite while Oracle Reports is the companys enterprise reporting tool.

The affected products feature prominently in the Oracle Application Server and are also used in the Oracle E-Business Suite.

"Oracles behavior not fixing critical security bugs for a long time is not acceptable for their customers," Kornbrust said, warning that long delays in releasing patches "put their customers in danger."

"At least one of these vulnerabilities can be abused from any attacker on the Internet," he added.

Kornbrust said he notified the informed the Oracle Security Team three months ago of his plan to publish the bug details if fixes were not including in the July batch of patches.

"I know that Oracle products are complex and a good patch quality needs some time. Thats why I offered Oracle additional time if three months were not sufficient for fixing the bugs. Oracle never asked for additional time," he said.

"I decided to publish these vulnerabilities because it is possible to mitigate the risk of these vulnerabilities by using the workarounds provided in the advisories," he added.

Kornbrust, who worked for several years at Oracle Germany, Oracle Switzerland and IBM Global Services as a consultant, said he was not disappointed, but not surprised, that the flaws were not patched.

"This is very typical of the way Oracle deals with security. They take ages to fix serious bugs. Weve had this problem with Oracle for many years," he declared.

/zimages/3/28571.gifRead more here about Oracles previous delay in releasing patches.

Oracle has been heavily criticized in the past for being slow to address critical security flaws.

Last summer, at the BlackHat briefings in Las Vegas, researchers pushed the envelope by releasing details on more than two dozen security holes in Oracle products that had not been fixed.

At the time, Oracle confirmed that it was aware of the vulnerabilities—some of them "high risk"—for several months.

The public relations fallout from that incident prompted Oracle to shift to a quarterly patch cycle, in which four "Critical Patch Updates" will be posted every year.

But it appears the company is still struggling to deal with vulnerabilities that are reported by private researchers.

According to Kornbrusts advisories, Oracle customers can apply pre-patch workarounds to get temporary protection.

The flaws range from cross-site-scripting, information disclosure, file overwrite and the ability to run OS commands on vulnerable application servers.

Earlier this month, Oracle released a fix for an incomplete database server patch after a private security research outfit discovered that the underlying vulnerability was never addressed.

That patch came almost a month to the day after David Litchfield, managing director at U.K.-based Next Generation Security Software Ltd., brought the faulty patch to the companys attention.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.