Security Experts:

Many Concerned Over Oracle's Response to Security Vulnerabilities

Many Voice Concern Over Database Giant’s Response to High Risk Vulnerabilities

(Update 4/19 - Oracle Released The Critical Patch Update as Expected)

Tomorrow Oracle will release a critical patch update (CPU) containing a whopping, 73 new security vulnerability fixes across hundreds of its products. But interestingly, only six of those are security vulnerability fixes for its database products.

Oracle Database Security ChallengesHistorically, Oracle has been criticized over its response time to security vulnerabilities, and the level of concern seems to be increasing within the information security industry.

Just last month, Larry Ellison’s new right hand man, Oracle President Mark Hurd, addressed customers and potential customers at the Oracle Chief Security Officer Summit in New York City. In his speech, Hurd emphasized the importance of risk management and security, and said he believed that IT security would soon be a board-level concern.

“There is talk of making risk management a staple of every board,” Hurd said. “Board members don’t like this. IT security is not an event, it’s an ongoing risk. And that is one reason that people don’t like dealing with the subject,” he added. Later in his speech, Hurd said, “the number of bad guys is increasing. The sophistication of the bad guys is increasing. So is the complexity of the IT environments the bad guys want to attack.”

During Q&A for the session, Hurd noted the size of Oracle’s portfolio and the breadth of products it offers. Commenting on things he’s learned since being on board at Oracle, Hurd said, “The one thing that I think was a surprise is that there are so many customers that don’t know the breadth of our portfolio.” The growing number of products coming from Oracle is exactly what many security experts are concerned about.

With many more products to support and maintain, many are voicing concern over the ability of the database giant to keep up with security fixes for its database products. Counting thousands of banks and healthcare organizations as clients, Oracle’s database products store some of the most sensitive data there is.

Is Oracle doing everything in its power to maintain the security of its database products and responding appropriately to newly identified security vulnerabilities? Many industry experts don’t think so.

“Similar to what we saw in the last CPU in January, this latest iteration has just six fixes dedicated to Oracle’s database products out of 73 total patches to be issued,” said Alex Rothacker, Director of Security Research at Application Security, Inc. “As Oracle continues to get further and further away from being a database-only vendor, their attention and dedication platform to fixing vulnerabilities on the database continues to move in a downward trend,” Rothacker added.

Rothacker has some valid reasons to back his concerns. He heads up a team of researchers focused exclusively on database security that is often credited in Oracle critical patch updates for identifying database vulnerabilities. According to Rothacker, his team currently has ten open reported vulnerabilities with Oracle, most of which they classify at a fairly high risk level. “There are other researchers who regularly submit their vulnerability findings to Oracle in a similar fashion. Who knows how many other potentially critical vulnerabilities have been reported by others that are not being dealt with," Rothacker said.

Amichai Shulman, CTO at Imperva also believes Oracle is having some trouble keeping up with vulnerability fixes for its growing portfolio of products. “It does seem that Oracle is losing some of the focus it had on patching its database platform,” Shulman told SecurityWeek. “This is well understandable as the number of products Oracle had to introduce into their security patching cycle has grown dramatically in the past couple of years.”

Shulman believes that the introduction of the Sun Java platform into the process has created a serious scale challenge for Oracle's internal security patch processes. “I imagine that while the size of the team charged with managing the security patch process has stayed relatively the same, the number of vulnerabilities has grown dramatically,” Shulman said. “This reflects on Oracle’s ability to patch more vulnerabilities in the database product line. Additionally, we have seen Oracle struggling with the need to issue out-of-cycle patches, again as a consequence of introducing the Sun Java product line, which probably puts even more resource constraints on the regular patching process.”

Shulman believes change is needed in the way Oracle handles these processes. “In my opinion, Oracle is at the point where a change is required. Either separate processes operated by separate teams need be applied to different product lines, or a change to the existing process should be introduced to include early notification about detected vulnerabilities with workaround information instead of patching,” Shulman said. “Alternatively, Oracle could work with security vendors to allow early introduction of virtual patches through 3rd party security devices.”

Slavik Markovich, CTO Database Security at McAfee, says that while the latest Oracle CPU is similar in scope to other recent patch releases from a database perspective, what concerns him is the never-ending cycle and level of severity of many of the vulnerabilities. “The fact that once again, 2 of these vulnerabilities are remotely exploitable without authentication is concerning,” Markovich said. “These are potentially very dangerous, and it does seem like there will be no end to the discovery of new vulnerabilities that are capable of being exploited in this way. Every time Oracle closes down a few new ones, another 2-3 issues with these characteristics are found,” Markovich added.

While database administrators and IT Security teams wait for patches to be available, they need to keep a close eye on things, and respond quickly when they are available “The risk of remote exploit without authentication means that every site should do their best to schedule this patch update as soon as is feasible,” said Markovich. “For those that cannot do so, timely monitoring of audit logs and blocking with some form of virtual patching is advisable,” he added.

Oracle notes in its 2010 annual report, “End users, who rely on our software products and services for applications that are critical to their businesses, may have a greater sensitivity to product errors and security vulnerabilities than customers for software products generally.” This is exactly why Oracle needs to take a leadership position when it comes to fixing security vulnerabilities.

With over $26 Billion in annual revenue, a $170 billion market cap, and more than 370,000 customers—including 100 of the Fortune 100, customers deserve better. The database giant spent more than $3.2 billion on research and development in 2010. More of that needs to be spent on helping to protect its customers.

I have a very high level of respect for Mark Hurd's leadership ability. He's a great addition to Oracle's management team. But the company needs to digest some of the words he spoke at the Oracle Chief Security Officer Summit and put them into action at home in Redwood Shores.