On Tuesday, Oracle delivered its first Critical Patch Update (CPU) of 2012, which included a total of 78 fixes across a wide range of Oracle products. The update also marked the first time the MySQL database software has been part of Oracle’s CPU process.
In Oracle’s January 2012 Critical Patch Update, 27 new security fixes were issued for MySQL, with one of the vulnerabilities capable of being remotely exploitable without authentication. Interestingly, Oracle’s Database server only contained two security fixes, something that irks database security experts.
While 78 fixes may seem like a fair number of fixes, database security experts still think Oracle is not putting the resources into patching vulnerabilities that it should, and that Oracle’s patching process is still somewhat broken.
“While introducing MySQL into the patch process is a good thing, it emphasizes again scalability problems,” said Amichai Shulman, CTO at Imperva. “With the introduction of a new product, especially when it shows 27 fixes in this CPU, you’d expect the number of overall patches in the CPU to increase. This has not happened.”
Application Security, Inc. told SecurityWeek that its research arm, TeamSHATTER, had discovered and notified Oracle about multiple vulnerabilities that are supposedly in the queue to be fixed, but none had been fixed this time around. The bugs, the researchers say, are not inconsequential either. “The prevailing thought from our researchers is that several of those submitted are high risk and should have been fixed,” said Alex Rothacker, Director of Security Research at Application Security, Inc.
“There is a bottleneck in the Oracle patching process,” said Shulman. Could there be obstacles in the security and testing process? Shulman thinks so. He voiced his concern over the fact that just two vulnerabilities were fixed in Oracle’s core database product. “Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process,” he said. “This may be a consequence of adding the new MySQL product in the patching process. However, another factor may be that these fixes are much more critical and complex than their CVSS score suggests.”
“They should fix this bottleneck, especially as they introduce new products and acquisitions continue,” Shulman added. “We assume the bottleneck exists due to the relative low number of vulnerabilities while the patch increases in terms of products covered. As in many organizations, it’s safe to assume that Oracle has a security team separate from the engineering team that deals with the vulnerabilities and so the bottleneck most likely resides there and should be removed.”
“Oracle released a patch for CVE-2012-0094 Solaris TCP/IP Denial of Service bug, a network vulnerability, which had the highest base score of 7.8. CVE-2012-0100 is a Solaris vulnerability related to Kerberos and it has the second highest base score of 6.8,” said Security Researcher, Marcus Carey of Rapid7. “It’s a local vulnerability, but has the greatest ramifications of all the vulnerabilities. Since it is a local vulnerability, it is rated slightly behind CVE-2012-0094.”
While CVE-2012-0094 may have had the highest base score according to Oracle, Carey thinks that another vulnerability is more threatening. “CVE-2012-0083, which affects Oracle WebCenter Content, is the most dangerous network-based vulnerability, because it could allow an attacker to compromise confidentiality and integrity of systems,” Carey said.
Also of note, Carey added, is that Oracle patched CVE-2011-5035, a vulnerability that relates to the GlassFish Enterprise Server denial of service vulnerability that was disclosed at the Chaos Communication Congress in Germany in December.
A summary of the fixes in Oracle’s January 2012 CPU are as follows:
* 2 for Oracle Database Server
* 1 for Oracle Fusion Middleware
* 3 for Oracle E-Business Suite
* 1 for Oracle Supply Chain Products Suite
* 6 for Oracle PeopleSoft Products
* 8 for Oracle JD Edwards Products
* 17 for Oracle Sun Products Suite
* 3 for Oracle Virtualization
* 27 for Oracle MySQL
Earlier this month Oracle released an update to its Oracle Database Firewall, the database giant’s solution to improve enterprise database security and help enterprises prevent internal and external attacks from reaching their databases. The latest edition of Oracle Database Firewall introduced support for MySQL, adding to previous support for Oracle Database 11g and earlier releases, IBM DB2 Linux Unix Windows, Microsoft SQL Server, Sybase Adaptive Server Enterprise (ASE) and Sybase SQL Anywhere.