Oracle Security Under Scrutiny - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:00 PM

Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks.

No one is feeling the pinch of this threat more than Oracle, which commands 41% of the relational database market. The company has found itself wrestling with a growing number of security vulnerabilities not just with its databases but across its entire product line. Its most recent quarterly critical patch update release addressed 82 vulnerabilities across its database, application server, collaboration suite, E-business suite, and Enterprise Manager products, as well as products inherited from its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, the highest number since Oracle first started offering quarterly critical patch updates in January 2005.

The nature of several of these vulnerabilities, as well as Oracle's bug reporting and patching practices, have raised red flags among security researchers and some customers. All acknowledge that there are no known worms threatening to take down Oracle databases and that Oracle has a strong track record when it comes to security. But they also know that the threats are becoming more dangerous and increasing government regulations are holding companies accountable for the sanctity of both internal and client data.

The most serious concerns related to the security of Oracle's database systems were voiced in January, when several researchers and analysts took Oracle to task for flaws in its products and for its patching policies. David Litchfield, managing director of Next Generation Security Software, gave a presentation at a Black Hat conference on a new vulnerability in Oracle's Procedural Language extension to SQL and posted a brief description of the problem to the Bugtraq and Full Disclosure security mailing lists. The flaw, which Litchfield called critical, lies in the Oracle PLSQL gateway and can let an attacker grab control of an Oracle database server via a compromised Web server.

InformationWeek Download

Litchfield proceeded to post to Bugtraq so-called workaround solutions that users could implement to keep the vulnerability from being exploited, but Oracle countered that these workarounds kept certain E-business apps from working properly. Oracle plans to fix the bug in an upcoming critical patch update but hasn't said if the fix would be available in time for the next update in April. The company maintains that it can issue an emergency patch for the PLSQL problem should an exploit surface.

Also in January, Alexander Kornbrust, CEO of security research and consulting firm Red-Database-Security, reported that an Oracle security feature called transparent data encryption was storing its master encryption key unencrypted in the system global area, which is Oracle's structural memory that aids the transfer of data between clients and an Oracle database. Kornbrust's conclusion: A skilled attacker or nonsecurity database administrator could retrieve the plaintext master key, which would let that person decrypt all data encrypted using that key. Oracle says it addressed this issue in January's critical patch update.

While neither of these vulnerabilities is within the database itself, they show how applications that request information from an Oracle database could be compromised. "We all have some concerns about the future of attacks against applications and databases," says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. "The biggest issue is when you start laying your Web infrastructure over these back-end applications."

Oracle's past two critical patch updates addressed 37 and 38 vulnerabilities affecting database versions, including 8i, 9i, and 10g. Another 20 vulnerabilities patched by both updates involved the company's application server. Oracle's database security features include integrated encryption, protection against log tampering, and advanced auditing capabilities. Yet "all of this becomes meaningless because they have poor practices around dealing with vulnerabilities and patching," says Gartner analyst Richard Mogull.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 4
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll