January 18th marks the 6th anniversary of the Oracle Critical Patch Update (CPU) in its current form as a quarterly patch. For those who remember, before the CPU, Oracle released patches as Security Alerts, the last being Security Alert 68 at the end of August 2004.
In the past 6 years, CPUs have brought a steady stream of security patches to the Oracle Database Management Systems (DBMS) with 71 patches in 2005, 87 in 2006, 73 in 2007, 53 in 2008, and 54 in 2009.
The Downward Trend
However starting in 2010, Oracle has significantly decreased the number of patches in the database with only 32 fixes reported. The trend continues in the first release of 2011 with only 6 database fixes out of 66 total fixes. The bulk of the other 60 fixes are in Oracle Fusion Middleware, PeopleSoft and Solaris. See the chart for number of security fixes to the Oracle Database since January 2005.
In the meantime, Oracle has acquired numerous companies and has incorporated fixes to the respective products into the CPU, steadily growing the total number of fixes. It appears that all these acquisitions have made Oracle lose focus on its core competency. It also shows that Oracle’s security team is getting spread too thin between all these newly acquired products.
Let’s take a further look at the database portion of the most recent CPU. As mentioned above, a total of 66 security issues are fixed in this CPU, with 6 directly affecting the database and 1 affecting Oracle Audit Vault. Here is the drill down:
2011 Wish List – Be More Like Microsoft
CPU reports simply don’t have the information to be useful for the DBA’s that would be applying these patches. Each quarter, the releases provide significant difficultly to gauge the real risk level of each vulnerability. CVSS scoring tends to be skewed and Oracle often assigns flaws with lower CVSS scores because of its partial plus ranking. It would also be nice to see additional details on the vulnerabilities, including details on temporary workarounds and attack vectors. When Microsoft issues its patches on Patch Tuesday, they issue a detailed document for each vulnerability – including workarounds and attack vectors.
While I’m on the subject of Microsoft – perhaps Oracle should be more like them in other ways as well. Microsoft SQL Server 2005 and 2008 have been virtually free of vulnerabilities. Microsoft shows a real concern for database security and they have invested heavily in security improvements over the years to ensure organizations don’t spend every quarter fumbling to determine which patches are critical and how they are going to apply every one timely before a hacker exploits the flaws.
More Work To Be Done
To sum it up, there are 3 flaws combined between Oracle Audit Vault and Oracle Database Vault. Both of these products are security options to the database, but with flaws this severe, Oracle might want to go back to the drawing board and rethink how to address security through their complete development cycle.
We know that Oracle relies on many independent security researchers to find these vulnerabilities. As one of those researchers responsible for reporting vulnerabilities; I know that they have a mounting list of flaws to patch. This quarter alone, my team was credited for reporting 3 of the 6 DBMS vulnerabilities. And no, the lack of database vulnerabilities being patched by Oracle doesn’t mean that there aren’t any significant flaws. There is still more work to be done.
Alex Rothacker is the director of security at AppSec Inc.’s Team SHATTER research team.