Recent Oracle Patch May Not Mean More Secure Servers
On January 17, 2012, Oracle released its first Critical Patch Update (CPU) of the year, which addressed a total of 78 security issues found in a variety of its products. But with many small and midsize business (SMB) users pleased to see improvements in Oracle's MySQL database, Fusion Middleware, and Sun Product Suite, some worry about the lack of attention paid to Oracle's Database Server and the potentially crippling security flaws it may hold.
According to a recent eSecurity Planet article, there were only two fixes deployed for Oracle Database in the latest CPU. The first was for a potential exploit identified as CVE-2012-0072. "[It's] a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it)," according to Eric Maurice, Oracle's global technology business unit security manager. The second major hole patched in the Oracle Database Server was issue CVE-2012-0082. This issue centered around Systems Change Numbers (SCNs), which are used to identify transactions in a database. In a number of very specific circumstances, these SCNs could propagate at an uncontrolled rate across database links, leading to a potential security breach.
While there's no doubt that the two issues addressed by Oracle were necessary fixes, the record low number of database-specific tweaks has many users concerned. In April 2011, for example, the company fixed 6 flaws, in July, they dealt with 13. The director of security research for Application Security Inc.'s TEAMShatter Alex Rothacker says, "While the number has been trending down over the past couple of years, it was a shock to see just two fixes and the continued lack of emphasis Oracle is placing on providing fixes for its DBMS."
A January 2012 Tech Week Europe piece examines potential issues facing the Oracle Database, ones that could seriously impact the usability of the database for SMBs. Oracle maintains that because their server coding has "matured," there are fewer vulnerabilities to weed out, and as a result, the number of database fixes in regular CPUs will drop. But according to Amichai Shulman, CTO of Imperva, Oracle continues to "undervalue the severity of their reported vulnerabilities," such as CVE-2012-0082, which Alex Rothacker says was "probably more severe" than Oracle claims.
Rothacker also says that while TEAMShatter continues to report a consistent number of vulnerabilities, the number fixed is declining. Consumers are told that fewer fixes mean a more secure server environment, but companies like TEAMShatter and Imperva don't agree.
Security And The Small Business
Although the SCN flaw has more potentially severe repercussions for large Oracle customers, there's a growing concern that the company is de-emphasizing their database in favor of Fusion Middlewear and as-a-service systems. For SMB IT teams, tracking and reporting bugs in databases such as Oracle's is important, but it is also important to keep an eye on patch notes and the line taken by a database provider. Security is an always-evolving process, and it's wise to be leery of any company that claims that fewer patches mean fewer problems, especially when other users aren't reporting the same experience.