Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Oracle Vulnerabilities Need Patching With Latest Release

Imperva : 20 January, 2011  (Technical Article)
Imperva is advising Oracle database users to install the latest security patch to eliminate vulnerabilities
Amichai Shulman, CTO, Imperva, a web and database security company has reviewed the Oracle Critical Patch Update which has been released and provides the following analysis:

On the Oracle Patch process:

“Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can’t believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.

“In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products.

“Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.

“Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing. This lack of transparency is outrageous behavior. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers.

On today’s patch:

“As for the patch, there are four vulnerabilities rated 10 for severity. We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent.

“Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. People soft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules.

“Exploits may emerge over the next few days, but we’ll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment.”
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo