Oracle Security Under Scrutiny

As the number of vulnerabilities in its products grows, Oracle is on the defensive.



When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks.

No one is feeling the pinch of this threat more than Oracle, which commands 41% of the relational database market. The company has found itself wrestling with a growing number of security vulnerabilities not just with its databases but across its entire product line. Its most recent quarterly critical patch update release addressed 82 vulnerabilities across its database, application server, collaboration suite, E-business suite, and Enterprise Manager products, as well as products inherited from its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, the highest number since Oracle first started offering quarterly critical patch updates in January 2005.

The nature of several of these vulnerabilities, as well as Oracle's bug reporting and patching practices, have raised red flags among security researchers and some customers. All acknowledge that there are no known worms threatening to take down Oracle databases and that Oracle has a strong track record when it comes to security. But they also know that the threats are becoming more dangerous and increasing government regulations are holding companies accountable for the sanctity of both internal and client data.

The most serious concerns related to the security of Oracle's database systems were voiced in January, when several researchers and analysts took Oracle to task for flaws in its products and for its patching policies. David Litchfield, managing director of Next Generation Security Software, gave a presentation at a Black Hat conference on a new vulnerability in Oracle's Procedural Language extension to SQL and posted a brief description of the problem to the Bugtraq and Full Disclosure security mailing lists. The flaw, which Litchfield called critical, lies in the Oracle PLSQL gateway and can let an attacker grab control of an Oracle database server via a compromised Web server.

InformationWeek Download

Litchfield proceeded to post to Bugtraq so-called workaround solutions that users could implement to keep the vulnerability from being exploited, but Oracle countered that these workarounds kept certain E-business apps from working properly. Oracle plans to fix the bug in an upcoming critical patch update but hasn't said if the fix would be available in time for the next update in April. The company maintains that it can issue an emergency patch for the PLSQL problem should an exploit surface.

Also in January, Alexander Kornbrust, CEO of security research and consulting firm Red-Database-Security, reported that an Oracle security feature called transparent data encryption was storing its master encryption key unencrypted in the system global area, which is Oracle's structural memory that aids the transfer of data between clients and an Oracle database. Kornbrust's conclusion: A skilled attacker or nonsecurity database administrator could retrieve the plaintext master key, which would let that person decrypt all data encrypted using that key. Oracle says it addressed this issue in January's critical patch update.

While neither of these vulnerabilities is within the database itself, they show how applications that request information from an Oracle database could be compromised. "We all have some concerns about the future of attacks against applications and databases," says Howard Schmidt, a former White House cybersecurity adviser and former chief security officer at eBay and Microsoft. "The biggest issue is when you start laying your Web infrastructure over these back-end applications."

Oracle's past two critical patch updates addressed 37 and 38 vulnerabilities affecting database versions, including 8i, 9i, and 10g. Another 20 vulnerabilities patched by both updates involved the company's application server. Oracle's database security features include integrated encryption, protection against log tampering, and advanced auditing capabilities. Yet "all of this becomes meaningless because they have poor practices around dealing with vulnerabilities and patching," says Gartner analyst Richard Mogull.



Patch Inflation

Oracle attributes the number of vulnerabilities and patches issued in January to improvements in finding and fixing bugs. The size of recent updates looks inflated because the company chose to restrict the number of patches it issued last year, says Oracle chief security officer Mary Ann Davidson. "We were conservative early on so as not to overwhelm our users," she says. As the company got better at patching, it began to include a larger number of fixes each quarter, she says.

Davidson: You say you want an IT revolution?

Davidson: You say you want an IT revolution?
But Oracle has been criticized for not providing enough information about the vulnerabilities it fixes during critical patch updates. Oracle holds information about its vulnerabilities close to the vest and hasn't issued a single workaround since introducing its critical patch update program in January 2005. If it were willing to provide more information about the patches it issues, users could shield their systems while they test the Oracle patches, shortening the amount of time their systems are vulnerable to attack, contends Gartner's Mogull. "If a workaround is going to break something, tell me and let me make the decision for myself," he says.

At issue is just how involved companies should be in their own protection. "If a vulnerability exists, and we can't take precautions about it, that's just bad," says Michael Gallagher, manager of architecture strategy at ABN Amro, a financial services company that uses both Oracle and IBM DB2 databases. "Companies need to know to protect themselves."

Mogull doesn't advocate that Oracle put its customers at risk by providing too much information that could fall into the wrong hands, but he would like to see the vendor provide some details on vulnerabilities and offer potential workarounds. "This provides attackers with some information, but it also arms the legitimate customers," he says. "All it will take is one bad attack on Oracle, and businesses and government are seriously in trouble."

Protection Before Disclosure

To Oracle, the need to protect customers from attackers outweighs the need for full disclosure. The company is adamant about not giving attackers anything to work with. Oracle receives information about vulnerabilities from its own researchers as well as from third-party research firms and customers, says Darius Wiles, a senior manager of security alerts at Oracle. The company also is looking for vulnerabilities within third-party applications, such as the Apache Web server, that could affect the performance and security of Oracle products.

Before moving to a quarterly critical patch schedule, Oracle issued alerts for individual bugs. When a fix was ready, the vendor made sure it worked on all affected products before issuing the fix to customers. The advantage: Oracle could react more quickly to bug fixes. But customers didn't get any notice that patches were on the way, and eventually, they called for a more predictable patch cycle. "We publish the dates a year in advance so customers can plan their downtime," Wiles says.

The argument over how fast Oracle produces patches misses the point, Wiles says. The wrong metric is to focus on the time between the announcement of the vulnerability and when the patch is made available, he says. Instead, customers should focus on the time between patch availability and their successful implementation of it.

Since Oracle's databases support about 20 different operating systems, each patch must undergo extensive testing to make sure it works properly. "Because customers are under duress to get these patches implemented, we do a lot of work to get them right," Wiles says. "We try to strike the right balance by giving customers the right amount of information without providing information that can be used to create exploits. Given the choice between publishing a workaround that breaks something or not providing a workaround, we do the latter."



Still, Oracle sometimes breaks its own rules. For example, it rarely alerts customers to security fixes in noncritical software patches. Yet in late February, Oracle let customers know about security fixes included in a patch for E-Business Suite 11i, a move to encourage users to install the patch right away and protect themselves from security vulnerabilities in Oracle Diagnostics Web pages.

Oracle's quarterly updates have become more complicated as it has added new software from acquisitions into the mix. This complexity concerns Ken MacPherson, CTO at Campus EAI, a nonprofit provider of hardware, software, and services for educational institutions.

Oracle tested early updates on relatively simple server setups, so they didn't run well in all environments, MacPherson says. Oracle's first critical update, which included a patch for 25 different vulnerabilities, "put a bad taste in everyone's mouth. It fixed some things but broke others," he says. Subsequent updates have been a "drastic" improvement, but they're still complicated when companies use more than one version of Oracle's databases and applications, MacPherson says.

Oracle's acquisitions over the past few years have given it a lot more to secure. While it's too early to know how Oracle will manage security for its Siebel products, it has been content thus far to let its JD Edwards and PeopleSoft units manage security as they did before being bought. Unlike Oracle, which has a security operation under Davidson's direction, JD Edwards and PeopleSoft pooled employees from various departments, including product design, development, and testing, into security councils that set policies and processes and wrote bug fixes. Today, Oracle sets the policies and processes and includes JD Edwards and PeopleSoft patches within its quarterly critical patch updates, but the security councils remain intact.

Easy? No. Possible? Yes.

Until now, databases have remained underneath the radar as attackers chose to focus on companies' weak perimeter defenses. Now that most perimeters have been secured, hackers are looking for new vulnerabilities. And they may have found one: Web-accessible applications have created the need for more widespread access to databases from a variety of interfaces, opening a back door to business data.

To penetrate a database from the outside, an attacker might gain access to the network through an Oracle management interface into the database. "We've gotten better at protecting things like Web servers, browsers, and operating systems. But we haven't gotten better at defending the applications underneath," says senior Forrester Research analyst Michael Gavin.

Welch Foods is halfway through a rollout of Oracle E-Business Suite across its IT environment, with a full implementation of Oracle applications running atop Oracle 10g databases expected by the middle of next year. Welch CIO Larry Rencken is well aware of the back and forth between Oracle and security researchers such as Litchfield, but the PLSQL gateway vulnerability Litchfield addressed isn't one that would affect Welch until the company is further along in its E-Business rollout.

When the E-Business Suite is fully implemented, Welch plans to let employees and partners connect to its databases via iSupplier, iProcurement, and Enterprise Asset Management, a function that will require use of Oracle's PLSQL gateway. At that time, Welch plans to implement Oracle patches as soon as they're available. While this approach may introduce risk into Rencken's IT environment, he's convinced this risk can be effectively managed.



Rencken acknowledges that it took time to learn how to best communicate with Oracle, but since figuring that out, interactions have been smooth. Welch has an ace in the hole: a database administrator who used to work for Oracle and understands its patch process. Welch keeps in close contact with the vendor and even has an Oracle employee on its IT steering committee. Support for Oracle products consists of three in-house database administrators and contracted help from an offshore Oracle support center.

Rencken saves his worrying for wireless communications devices placed in the hands of Welch employees. A cell phone left in a taxi creates the opportunity for someone to access Outlook and other important data. Spyware and E-mailed viruses are another general security concern as they threaten to harm the company's network and snatch important information through key-logging programs. Back-end infiltration into databases, while a serious problem if it happens, is less of a priority because it's perceived as less likely as long as Oracle continues to patch vulnerabilities, Rencken says.

strong>Inside Job

Oracle's Edge

Database security technology doesn't protect well against insider threats, particularly when the person looking to steal data or damage a database has access privileges. Administrators and users must be held accountable for their access privileges, says Bob Blakley, IBM Tivoli's chief scientist for security and privacy. "It's conceivable to break into a database from the outside, but why would you do that when you can place an employee inside a company and attack from within?"

Identity management plays a key role in Campus EAI's security strategy by identifying system users and defining the information they're permitted to access. This is a layer above the database but no less important than the technology used to secure the database. In fact, it's more reasonable to expect someone to try to steal or access sensitive data by escalating their access privileges than by forcibly hacking the database. "Generally speaking, databases are very difficult to attack," MacPherson says. "They're the most secure aspects in a network."

Identity management's importance can't be underestimated. "You can secure the heck out of the database, doing table-level auditing and locking down fields," he says, "but how do you secure the data once it leaves the database?"

Managing Identity

A lot of progress in improving the security of applications and data will come from improving the quality of the underlying code. Oracle since December has been using Fortify Software's Source Code Analysis software to analyze Oracle's app server, collaboration suite, database server, and identity management software for potential vulnerabilities as new versions are built. Fortify Software's Source Code Analysis looks for areas of code that would be vulnerable to attack. It sits on a company's application development build server, which developers use to compile their code, scans the code, and alerts developers about potential problems.

Oracle's Davidson would like to see a "revolution" in IT, where software engineers are certified the way structural and other engineers are certified. "Programming needs to grow up as a profession," she says. "If you're going to build a building, you need to certify your plans. Software is an infrastructure just like a building is." It's time to realize that databases and other software are becoming even more important than any structure as information becomes today's most important currency.

Continue to the sidebar:
Locked Up Tight

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2019 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service