Amichai Shulman, CTO, Imperva, a web and database security company has reviewed the Oracle Critical Patch Update which was released today and provides the following analysis:
On the Oracle Patch process:
"Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can't believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.
"In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products.
"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.
"Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing. This lack of transparency is outrageous behavior. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers.
On today's patch:
"As for the patch, there are four vulnerabilities rated 10 for severity. We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent.
"Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. People soft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules.
"Exploits may emerge over the next few days, but we'll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment."
If you would like further information or would like to speak to Amichai Shulman about these updates, please contact me on 44 207 183 2834 or email Darshna@eskenzipr.com
On the Oracle Patch process:
"Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can't believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.
"In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products.
"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.
"Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing. This lack of transparency is outrageous behavior. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers.
On today's patch:
"As for the patch, there are four vulnerabilities rated 10 for severity. We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent.
"Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. People soft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules.
"Exploits may emerge over the next few days, but we'll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment."
If you would like further information or would like to speak to Amichai Shulman about these updates, please contact me on 44 207 183 2834 or email Darshna@eskenzipr.com
