RSS

Database

Imperva CTO: Oracle Patching Needs Fixing

By Adrian Bridgwater, January 19, 2011

Suggests "vulnerabilities" that leave production environment applications without a workaround

Web and database security company CTO Amichai Shulman has suggested that Oracle may be losing momentum when it comes to fixing and patching database vulnerabilities when they become highlighted. Suggesting that in the past when Oracle had far fewer products, the company would patch 100 database vulnerabilities at a time.

"Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year," said Shulman.

Shulman has reviewed the Oracle Critical Patch Update, which was released this week and provides his analyzes on it: “Additionally troubling is the fact that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse-engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening."

If there is any truth in the severity of the so-termed "vulnerabilities" that Shulman has attempted to highlight, then Oracle customers may be left with a problem developing a workaround for their production applications. As for the patch released this week, Shulman says that there are four vulnerabilities rated 10 for severity.

"Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. PeopleSoft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules. Exploits may emerge over the next few days, but we’ll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment," said Shulman.

Oracle meanwhile asserts that this patch is part of longstanding series of solid updates, claiming "With this Critical Patch Update (CPU), Oracle's primary security vulnerability remediation program enters its seventh year (the first Critical Patch Update was released in January 2005). The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products. CPUs are issued on a predictable schedule published a year in advance."

According to Oracle's official Critical Patch Update blog, the company recently published a technical white paper titled "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" in an attempt to document the practices of a number of organizations, which had adopted repeatable processes to deal with the Critical Patch Updates. This white paper is designed to act as a starting point for administrators who may be new to the Critical Patch Update or feel overwhelmed with the prospect of patching their systems.


Related Reading

News

Most Popular

Commentary

On the Web

Video

Slideshow

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>
INFO-LINK




Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

DrDobbs encourages readers to engage in spirited, healthy debate, including taking us to task. However, DrDobbs moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. DrDobbs further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Best of the Web

What the New iPad and iOS 5.1 Mean for Developers

The new display is gorgeous. But local storage for HMTL5 is currently broken on the new iPad and performance of some apps is slower. Here's a deep dive into the issues, including benchmarks and analysis.

Quick Read

Triple Buffering as A Concurrency Mechanism

Triple Buffering is a way of passing data between a producer and a consumer running at different rates. It ensures that the consumer sees only complete data with minimal lag.

Quick Read

Embedding GDB Breakpoints in C Source Code

Have you ever wanted to embed GDB breakpoints in C source code? Something like this:
printf("Hello,\n");
EMBED_BREAKPOINT;
printf("world!\n");

Quick Read

Writing Kernel Exploits

Why attack the kernel? Because it has a huge attack surface with potential for very interesting bugs. This presentation (pdf) takes a code-level dive into recently reported Linux-kernel exploits.

Quick Read


More "Best of the Web" >>

Database Recent Articles

Most Popular

Stories Blogs

Video

View All Videos

Featured Reports

Featured Whitepapers

Featured Webcasts

Most Recent Premium Content

Digital Issues

Enabling People and Organizations to Harness the Transformative Power of Technology