Oracle Security Under Scrutiny - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:00 PM

Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks.

No one is feeling the pinch of this threat more than Oracle, which commands 41% of the relational database market. The company has found itself wrestling with a growing number of security vulnerabilities not just with its databases but across its entire product line. Its most recent quarterly critical patch update release addressed 82 vulnerabilities across its database, application server, collaboration suite, E-business suite, and Enterprise Manager products, as well as products inherited from its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, the highest number since Oracle first started offering quarterly critical patch updates in January 2005.

The nature of several of these vulnerabilities, as well as Oracle's bug reporting and patching practices, have raised red flags among security researchers and some customers. All acknowledge that there are no known worms threatening to take down Oracle databases and that Oracle has a strong track record when it comes to security. But they also know that the threats are becoming more dangerous and increasing government regulations are holding companies accountable for the sanctity of both internal and client data.

The most serious concerns related to the security of Oracle's database systems were voiced in January, when several researchers and analysts took Oracle to task for flaws in its products and for its patching policies. David Litchfield, managing director of Next Generation Security Software, gave a presentation at a Black Hat conference on a new vulnerability in Oracle's Procedural Language extension to SQL and posted a brief description of the problem to the Bugtraq and Full Disclosure security mailing lists. The flaw, which Litchfield called critical, lies in the Oracle PLSQL gateway and can let an attacker grab control of an Oracle database server via a compromised Web server.

InformationWeek Download

Litchfield proceeded to post to Bugtraq so-called workaround solutions that users could implement to keep the vulnerability from being exploited, but Oracle countered that these workarounds kept certain E-business apps from working properly. Oracle plans to fix the bug in an upcoming critical patch update but hasn't said if the fix would be available in time for the next update in April. The company maintains that it can issue an emergency patch for the PLSQL problem should an exploit surface.

Also in January, Alexander Kornbrust, CEO of security research and consulting firm Red-Database-Security, reported that an Oracle security feature called transparent data encryption was storing its master encryption key unencrypted in the system global area, which is Oracle's structural memory that aids the transfer of data between clients and an Oracle database. Kornbrust's conclusion: A skilled attacker or nonsecurity database administrator could retrieve the plaintext master key, which would let that person decrypt all data encrypted using that key. Oracle says it addressed this issue in January's critical patch update.

While neither of these vulnerabilities is within the database itself, they show how applications that request information from an Oracle database could be compromised. "We all have some concerns about the future of attacks against applications and databases," says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. "The biggest issue is when you start laying your Web infrastructure over these back-end applications."

Oracle's past two critical patch updates addressed 37 and 38 vulnerabilities affecting database versions, including 8i, 9i, and 10g. Another 20 vulnerabilities patched by both updates involved the company's application server. Oracle's database security features include integrated encryption, protection against log tampering, and advanced auditing capabilities. Yet "all of this becomes meaningless because they have poor practices around dealing with vulnerabilities and patching," says Gartner analyst Richard Mogull.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 4
Comment  | 
Print  | 
More Insights
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
Register for InformationWeek Newsletters
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll