As the number of vulnerabilities in its products grows, Oracle is on the defensive.
When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks.
No one is feeling the pinch of this threat more than Oracle, which commands 41% of the relational database market. The company has found itself wrestling with a growing number of security vulnerabilities not just with its databases but across its entire product line. Its most recent quarterly critical patch update release addressed 82 vulnerabilities across its database, application server, collaboration suite, E-business suite, and Enterprise Manager products, as well as products inherited from its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, the highest number since Oracle first started offering quarterly critical patch updates in January 2005.
The nature of several of these vulnerabilities, as well as Oracle's bug reporting and patching practices, have raised red flags among security researchers and some customers. All acknowledge that there are no known worms threatening to take down Oracle databases and that Oracle has a strong track record when it comes to security. But they also know that the threats are becoming more dangerous and increasing government regulations are holding companies accountable for the sanctity of both internal and client data.
The most serious concerns related to the security of Oracle's database systems were voiced in January, when several researchers and analysts took Oracle to task for flaws in its products and for its patching policies. David Litchfield, managing director of Next Generation Security Software, gave a presentation at a Black Hat conference on a new vulnerability in Oracle's Procedural Language extension to SQL and posted a brief description of the problem to the Bugtraq and Full Disclosure security mailing lists. The flaw, which Litchfield called critical, lies in the Oracle PLSQL gateway and can let an attacker grab control of an Oracle database server via a compromised Web server.
Litchfield proceeded to post to Bugtraq so-called workaround solutions that users could implement to keep the vulnerability from being exploited, but Oracle countered that these workarounds kept certain E-business apps from working properly. Oracle plans to fix the bug in an upcoming critical patch update but hasn't said if the fix would be available in time for the next update in April. The company maintains that it can issue an emergency patch for the PLSQL problem should an exploit surface.
Also in January, Alexander Kornbrust, CEO of security research and consulting firm Red-Database-Security, reported that an Oracle security feature called transparent data encryption was storing its master encryption key unencrypted in the system global area, which is Oracle's structural memory that aids the transfer of data between clients and an Oracle database. Kornbrust's conclusion: A skilled attacker or nonsecurity database administrator could retrieve the plaintext master key, which would let that person decrypt all data encrypted using that key. Oracle says it addressed this issue in January's critical patch update.
While neither of these vulnerabilities is within the database itself, they show how applications that request information from an Oracle database could be compromised. "We all have some concerns about the future of attacks against applications and databases," says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. "The biggest issue is when you start laying your Web infrastructure over these back-end applications."
Oracle's past two critical patch updates addressed 37 and 38 vulnerabilities affecting database versions, including 8i, 9i, and 10g. Another 20 vulnerabilities patched by both updates involved the company's application server. Oracle's database security features include integrated encryption, protection against log tampering, and advanced auditing capabilities. Yet "all of this becomes meaningless because they have poor practices around dealing with vulnerabilities and patching," says Gartner analyst Richard Mogull.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.