Oracle Security Under Scrutiny - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:00 PM

Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.

When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks.

No one is feeling the pinch of this threat more than Oracle, which commands 41% of the relational database market. The company has found itself wrestling with a growing number of security vulnerabilities not just with its databases but across its entire product line. Its most recent quarterly critical patch update release addressed 82 vulnerabilities across its database, application server, collaboration suite, E-business suite, and Enterprise Manager products, as well as products inherited from its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, the highest number since Oracle first started offering quarterly critical patch updates in January 2005.

The nature of several of these vulnerabilities, as well as Oracle's bug reporting and patching practices, have raised red flags among security researchers and some customers. All acknowledge that there are no known worms threatening to take down Oracle databases and that Oracle has a strong track record when it comes to security. But they also know that the threats are becoming more dangerous and increasing government regulations are holding companies accountable for the sanctity of both internal and client data.

The most serious concerns related to the security of Oracle's database systems were voiced in January, when several researchers and analysts took Oracle to task for flaws in its products and for its patching policies. David Litchfield, managing director of Next Generation Security Software, gave a presentation at a Black Hat conference on a new vulnerability in Oracle's Procedural Language extension to SQL and posted a brief description of the problem to the Bugtraq and Full Disclosure security mailing lists. The flaw, which Litchfield called critical, lies in the Oracle PLSQL gateway and can let an attacker grab control of an Oracle database server via a compromised Web server.

InformationWeek Download

Litchfield proceeded to post to Bugtraq so-called workaround solutions that users could implement to keep the vulnerability from being exploited, but Oracle countered that these workarounds kept certain E-business apps from working properly. Oracle plans to fix the bug in an upcoming critical patch update but hasn't said if the fix would be available in time for the next update in April. The company maintains that it can issue an emergency patch for the PLSQL problem should an exploit surface.

Also in January, Alexander Kornbrust, CEO of security research and consulting firm Red-Database-Security, reported that an Oracle security feature called transparent data encryption was storing its master encryption key unencrypted in the system global area, which is Oracle's structural memory that aids the transfer of data between clients and an Oracle database. Kornbrust's conclusion: A skilled attacker or nonsecurity database administrator could retrieve the plaintext master key, which would let that person decrypt all data encrypted using that key. Oracle says it addressed this issue in January's critical patch update.

While neither of these vulnerabilities is within the database itself, they show how applications that request information from an Oracle database could be compromised. "We all have some concerns about the future of attacks against applications and databases," says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. "The biggest issue is when you start laying your Web infrastructure over these back-end applications."

Oracle's past two critical patch updates addressed 37 and 38 vulnerabilities affecting database versions, including 8i, 9i, and 10g. Another 20 vulnerabilities patched by both updates involved the company's application server. Oracle's database security features include integrated encryption, protection against log tampering, and advanced auditing capabilities. Yet "all of this becomes meaningless because they have poor practices around dealing with vulnerabilities and patching," says Gartner analyst Richard Mogull.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 4
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll