Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Oracle Vulnerabilities Need Patching With Latest Release

Imperva : 20 January, 2011  (Technical Article)
Imperva is advising Oracle database users to install the latest security patch to eliminate vulnerabilities
Amichai Shulman, CTO, Imperva, a web and database security company has reviewed the Oracle Critical Patch Update which has been released and provides the following analysis:



On the Oracle Patch process:



“Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can’t believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.



“In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products.



“Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.



“Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing. This lack of transparency is outrageous behavior. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers.



On today’s patch:



“As for the patch, there are four vulnerabilities rated 10 for severity. We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent.



“Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. People soft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules.



“Exploits may emerge over the next few days, but we’ll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo