Recent Oracle Patch May Not Mean More Secure Servers

By | Jan 23, 2012

On January 17, 2012, Oracle released its first Critical Patch Update (CPU) of the year, which addressed a total of 78 security issues found in a variety of its products. But with many small and midsize business (SMB) users pleased to see improvements in Oracle's MySQL database, Fusion Middleware, and Sun Product Suite, some worry about the lack of attention paid to Oracle's Database Server and the potentially crippling security flaws it may hold.

Patching the Holes

According to a recent eSecurity Planet article, there were only two fixes deployed for Oracle Database in the latest CPU. The first was for a potential exploit identified as CVE-2012-0072. "[It's] a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it)," according to Eric Maurice, Oracle's global technology business unit security manager. The second major hole patched in the Oracle Database Server was issue CVE-2012-0082. This issue centered around Systems Change Numbers (SCNs), which are used to identify transactions in a database. In a number of very specific circumstances, these SCNs could propagate at an uncontrolled rate across database links, leading to a potential security breach.

While there's no doubt that the two issues addressed by Oracle were necessary fixes, the record low number of database-specific tweaks has many users concerned. In April 2011, for example, the company fixed 6 flaws, in July, they dealt with 13. The director of security research for Application Security Inc.'s TEAMShatter Alex Rothacker says, "While the number has been trending down over the past couple of years, it was a shock to see just two fixes and the continued lack of emphasis Oracle is placing on providing fixes for its DBMS."

Potential Leaks

A January 2012 Tech Week Europe piece examines potential issues facing the Oracle Database, ones that could seriously impact the usability of the database for SMBs. Oracle maintains that because their server coding has "matured," there are fewer vulnerabilities to weed out, and as a result, the number of database fixes in regular CPUs will drop. But according to Amichai Shulman, CTO of Imperva, Oracle continues to "undervalue the severity of their reported vulnerabilities," such as CVE-2012-0082, which Alex Rothacker says was "probably more severe" than Oracle claims.

Rothacker also says that while TEAMShatter continues to report a consistent number of vulnerabilities, the number fixed is declining. Consumers are told that fewer fixes mean a more secure server environment, but companies like TEAMShatter and Imperva don't agree.

Security And The Small Business

Although the SCN flaw has more potentially severe repercussions for large Oracle customers, there's a growing concern that the company is de-emphasizing their database in favor of Fusion Middlewear and as-a-service systems. For SMB IT teams, tracking and reporting bugs in databases such as Oracle's is important, but it is also important to keep an eye on patch notes and the line taken by a database provider. Security is an always-evolving process, and it's wise to be leery of any company that claims that fewer patches mean fewer problems, especially when other users aren't reporting the same experience.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...