Network Computing Dark Reading

Advertise

Risk

1/19/2012
09:39 AM

Dark Reading
News

1 Comment
Comment Now

50%

Oracle Scorned For Paltry Database Patches

With only two of many reported vulnerabilities fixed in Oracle's latest update, the database security community questions Oracle's patch bottleneck.

Oracle's Tuesday release of its critical patch update (CPU) garnered a continuation of criticism from the database security community, with researchers pointing to a mounting list of unfixed vulnerabilities that date back to 2009, even as Oracle's rate of releasing database patches continues to plummet. Not counting MySQL updates, which are primarily handled by the open-source community, only two out of the 78 fixes in Tuesday's CPU were database-related, the lowest number released by Oracle since it started quarterly CPU releases.

"I am honestly shocked that they only fixed two database vulnerabilities," said Alex Rothacker, manager of Application Security's research arm, TeamSHATTER.

According to Rothacker, his firm currently has nine vulnerabilities reported in Oracle's queue of discovered vulnerabilities. While that might not seem like a lot on its face, he said, one of them dates back to 2009 and five of them can result in privilege escalation. In addition, that's only the vulnerabilities discovered by AppSec researchers. Based on his conversations with those in the community, Oracle has been notified by other vendors and independent researchers about many other vulnerabilities, as well.

"There's definitely more stuff out there than just those nine," Rothacker said.

Rothacker said that because many Oracle customers are loathe to make fixes in their databases anyhow, this lack of pressure is what allows the firm to "get away with taking its time on these CPUs."

Wolfgang Kandek, CTO of Qualys, tends to agree that the slow speed at which database patches are generally applied could contribute to Oracle slowing down its pace with these updates.

"Database patching is definitely slower than other areas, such as servers or workstations," he said. "You can find vulnerabilities and Oracle can fix them, but if customers do not install them or come back to Oracle and say, 'this is important for me,' it makes sense that Oracle could maintain that flow of patch schedule. The rollout schedule is a reflection of how much users actually pay attention to those things."

However, Amichai Shulman, CTO of Imperva, believes there is a bottleneck in the Oracle patching process that needs fixing.

Read the rest of this article on Dark Reading.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment |

Email This |

Print |

RSS

More Insights

Webcasts

Defeating Advanced Adversaries with Tactical Analytics

Forecast Calls for 'EPYC' Innovation and Discovery

More Webcasts

White Papers

IDC Workbook: Cloud Security Roadmap

7 Experts Discuss Evaluating MSSPs

More White Papers

Reports

[Dark Reading Report] Navigating the Threat Intelligence Maze

Low Latency Data Center Interconnect Using Infinera & Arista

More Reports

Comments

Newest First | Oldest First | Threaded View

[close this box]

50%

Bprince,
User Rank: Ninja
1/20/2012 | 3:48:25 AM

re: Oracle Scorned For Paltry Database Patches

It certainly is a possibility that Oracle's patch roll-out schedule is affected by how quickly users patch, and in a way that would make sense. On the other hand, it seems to me that something like that shouldn't be a big factor if a known vulnerability is out there. I think vendors should make patches available as soon as they can, and then leave it up to the enterprises to deploy them as they see fit.
Brian Prince, InformationWeek/Dark Reading Comment Moderator

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

Sodinokibi Ransomware: Where Attackers' Money Goes

Kelly Sheridan, Staff Editor, Dark Reading, 10/15/2019

Data Privacy Protections for the Most Vulnerable -- Children

Dimitri Sirota, Founder & CEO of BigID, 10/17/2019

Live Events

Webinars

[Video] Shaping the Future of IT CIO Lightning Series - Interop19

[Video] An (Ir)rational Approach to Interoperability - Interop19

More Informa Tech Live Events

White Papers

IDC Workbook: Cloud Security Roadmap

9 Ways Cybercriminals Disrupt Business Operations

7 Experts Discuss Evaluating MSSPs

How to Combat Island Hopping

How to Combat Spear Phishing

More White Papers

Video

All Videos

Cartoon

Latest Comment: Check outthe latest from Dark Reading cartoonist John Klossner!

Cartoon Archive

Current Issue

7 Threats & Disruptive Forces Changing the Face of Cybersecurity

This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

2019 Online Malware and Threats

As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?

Download Now!

The State of IT Operations and Cybersecurity Operations

0 comments

How Enterprises Are Developing Secure Applications

0 comments

The State of Cyber Security Incident Response

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2019-13545
PUBLISHED: 2019-10-18

In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.

CVE-2019-13541
PUBLISHED: 2019-10-18

In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.

CVE-2019-17367
PUBLISHED: 2019-10-18

OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.

CVE-2019-17393
PUBLISHED: 2019-10-18

The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...

CVE-2019-17526
PUBLISHED: 2019-10-18

** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]