Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 AM
Connect Directly

Researchers Bugging Oracle

Researchers are giving Oracle database customers an early Christmas gift - a zero-day bug a day for one week

First it was the Month of Browser Bugs, then it was the Month of Kernel Bugs, and now it is the Week of Oracle Database Bugs (WoODB). (See Getting Buggy with the MOBB and Month of Kernel Bugs to Come.)

Researchers at Buenos Aires, Argentina-based Argeniss plan to post a zero-day bug each day for one week in December. They say they want to demonstrate how Oracle's software isn't as secure as it should be, and how Oracle fails to find and fix bugs. And when Oracle does find bugs, they say, it takes two years or more for a patch.

Argeniss has found zero-day flaws in all database software, not just Oracle's, but it considers Oracle fair game because of its unpatched vulnerabilities.

Databases typically store the crown jewels of data in an organization, so they are becoming an obvious target. And database security is gaining attention as Web application vulnerabilities and exploits increase. Web apps often serve as the front-end to the database, so Web app attacks are the means to an end, the database. (See Study: SQL Server Is Safest DB and Database Threat Intensifies.)

"We have zero-days for all database software vendors but Oracle is 'the number one star' when talking about lots of unpatched vulnerabilities and not caring about security," Argeniss founder and CEO Cesar Cerrudo said in a message board posting announcing the WOODB.

Cerrudo told Dark Reading that he'll post local-privilege escalation, buffer overflow, denial of service, and SQL injection bugs, among others. "My team has found more than 200 vulnerabilities [in Oracle software] -- this includes fixed and unfixed ones," he says. "We have [around] 70 that haven't been fixed yet, [and] also half of them haven't been reported."

Oracle didn't comment directly about the WoODB, but reiterated its policy on disclosure of bugs. "Oracle values the work independent security researchers do and encourages them to follow responsible disclosure policies. Releasing detailed information about unpatched vulnerabilities helps attackers create exploits and attack unpatched systems," an Oracle spokesperson said. "Researchers can notify Oracle of security vulnerabilities by emailing [email protected]"

Argeniss, meanwhile, could have done a year's worth of Oracle database bugs, according to Cerrudo, but it decided a week was sufficient to show Oracle software flaws, plus it didn't want to disclose all the zero-days it had found. There's a chance it could go beyond a week if Argeniss gets contributions to the effort.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Oracle Corp. (Nasdaq: ORCL)
  • Argeniss Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-15
    An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
    PUBLISHED: 2019-10-15
    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
    PUBLISHED: 2019-10-15
    In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
    PUBLISHED: 2019-10-15
    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
    PUBLISHED: 2019-10-15
    In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.