Channels ▼
RSS

Security

Imperva CTO: Oracle Patching Needs Fixing


Web and database security company CTO Amichai Shulman has suggested that Oracle may be losing momentum when it comes to fixing and patching database vulnerabilities when they become highlighted. Suggesting that in the past when Oracle had far fewer products, the company would patch 100 database vulnerabilities at a time.

"Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year," said Shulman.

Shulman has reviewed the Oracle Critical Patch Update, which was released this week and provides his analyzes on it: “Additionally troubling is the fact that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse-engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening."

If there is any truth in the severity of the so-termed "vulnerabilities" that Shulman has attempted to highlight, then Oracle customers may be left with a problem developing a workaround for their production applications. As for the patch released this week, Shulman says that there are four vulnerabilities rated 10 for severity.

"Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. PeopleSoft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules. Exploits may emerge over the next few days, but we’ll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment," said Shulman.

Oracle meanwhile asserts that this patch is part of longstanding series of solid updates, claiming "With this Critical Patch Update (CPU), Oracle's primary security vulnerability remediation program enters its seventh year (the first Critical Patch Update was released in January 2005). The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products. CPUs are issued on a predictable schedule published a year in advance."

According to Oracle's official Critical Patch Update blog, the company recently published a technical white paper titled "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" in an attempt to document the practices of a number of organizations, which had adopted repeatable processes to deal with the Critical Patch Updates. This white paper is designed to act as a starting point for administrators who may be new to the Critical Patch Update or feel overwhelmed with the prospect of patching their systems.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video