On Tuesday, Oracle released its Critical Patch Update for October 2011 which brought a total of 57 security vulnerability fixes across multiple Oracle products.
Despite bringing an average number of fixes, many industry experts voiced concern over the number of fixes specific to Oracle’s database server. In the October 2011 CPU, just five fixes were specific to the Oracle database server. Historically, the database giant has been criticized over its security response efforts and this month is no different.
“This CPU is one of the weakest releases of Database Server patches we’ve seen since the process started in 2005,” said Alex Rothacker, Director of Security, at Application Security, Inc. “The record low number of database patches continues an alarming trend of Oracle seemingly losing focus on database security improvements.”
Experts also voiced their concerns over the rankings Oracle assigned to some of the vulnerabilities being addressed in the update.
“With the highest vulnerability being only 6.5 on the CVSS scoring system, Oracle seems to be downplaying a few vulnerabilities that can be easily exploited,” said Amichai Shulman, CTO at Imperva. “This one should probably be higher because the effect is practically a full takeover of the database server and it’s easy to exploit,” he explained. “Another database vulnerability (CVE-2011-3512) gets a 5.5 but should be higher as well. It’s probably a SQL injection vulnerability which is relatively easy to exploit and could lead to a catastrophic dump of the database’s contents.”
Kurt Baumgartner, Senior Security Researcher at Kaspersky Lab, pointed to an important Java update, a fix for the “BEAST” exploit, that came as part of this week’s fixes. “Most interesting, but perhaps with little impact, is the Java SE BEAST update,” he noted. BEAST – Browser Exploit Against SSL/TLS is a tool developed by security researchers Juliano Rizzo and Thai Duong that enables attackers to decrypt HTTP cookies. “The exploit almost turned into more of a disaster when Mozilla considered blocking all Java add-on use from their browsers: ‘We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so.’ So, it is somewhat surprising that Oracle rated this fix low within their risk matrix with a ‘Base Score’ of 4.3,” Baumgartner explained.
Earlier this month, Oracle announced enhancements to its Oracle Enterprise Manager 12c product, adding new security features including the ability for organizations to monitor and configure database access, encrypt data, mask data and provide privileged user controls, as well as several other security and IT compliance related functions. Despite these recent offerings, the industry still believes Oracle needs to be more responsive and put more resources into operations surrounding security and vulnerabilities.
As always, system and database administrators should review the updates and apply updates accordingly to reduce security risks. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” Oracle noted in the CPU update advisory.