Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 AM
Connect Directly

Researchers Bugging Oracle

Researchers are giving Oracle database customers an early Christmas gift - a zero-day bug a day for one week

First it was the Month of Browser Bugs, then it was the Month of Kernel Bugs, and now it is the Week of Oracle Database Bugs (WoODB). (See Getting Buggy with the MOBB and Month of Kernel Bugs to Come.)

Researchers at Buenos Aires, Argentina-based Argeniss plan to post a zero-day bug each day for one week in December. They say they want to demonstrate how Oracle's software isn't as secure as it should be, and how Oracle fails to find and fix bugs. And when Oracle does find bugs, they say, it takes two years or more for a patch.

Argeniss has found zero-day flaws in all database software, not just Oracle's, but it considers Oracle fair game because of its unpatched vulnerabilities.

Databases typically store the crown jewels of data in an organization, so they are becoming an obvious target. And database security is gaining attention as Web application vulnerabilities and exploits increase. Web apps often serve as the front-end to the database, so Web app attacks are the means to an end, the database. (See Study: SQL Server Is Safest DB and Database Threat Intensifies.)

"We have zero-days for all database software vendors but Oracle is 'the number one star' when talking about lots of unpatched vulnerabilities and not caring about security," Argeniss founder and CEO Cesar Cerrudo said in a message board posting announcing the WOODB.

Cerrudo told Dark Reading that he'll post local-privilege escalation, buffer overflow, denial of service, and SQL injection bugs, among others. "My team has found more than 200 vulnerabilities [in Oracle software] -- this includes fixed and unfixed ones," he says. "We have [around] 70 that haven't been fixed yet, [and] also half of them haven't been reported."

Oracle didn't comment directly about the WoODB, but reiterated its policy on disclosure of bugs. "Oracle values the work independent security researchers do and encourages them to follow responsible disclosure policies. Releasing detailed information about unpatched vulnerabilities helps attackers create exploits and attack unpatched systems," an Oracle spokesperson said. "Researchers can notify Oracle of security vulnerabilities by emailing [email protected]"

Argeniss, meanwhile, could have done a year's worth of Oracle database bugs, according to Cerrudo, but it decided a week was sufficient to show Oracle software flaws, plus it didn't want to disclose all the zero-days it had found. There's a chance it could go beyond a week if Argeniss gets contributions to the effort.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Oracle Corp. (Nasdaq: ORCL)
  • Argeniss Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Can you smell me now?
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.