Oracle patching needs to be fixed, warns Imperva CTO

That's the conclusion of Amichai Shulman, CTO of web and database security company Imperva. "In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities," he observes. "However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can't believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities,2 he adds. Shulman notes that in the past, when Oracle had far fewer products, it was typically patching 100 database vulnerabilities at a time. "One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products," he comments. And he adds: "Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening." His concern: without insight into the vulnerabilities, Oracle users cannot develop workarounds for their production applications. "I find it hard to believe that a company would patch critical applications without months of testing. This lack of transparency is outrageous behaviour. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers." As for the patch itself, there are four vulnerabilities rated 10 for severity. "We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent," explains Shulman. "Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. "PeopleSoft and JD Edwards [ERP applications] have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules."