Oracle database vulnerability creates tension in security industry
It was recently discovered that an Oracle database was left unpatched for four years, according to statements made by database security expert Joxean Koret. After uncovering the vulnerability, he advised Oracle customers to immediately update their database.
Although Oracle acknowledged the weakness, the company continued to neglect deploying a patch that would resolve any security issues. As a result, security professionals around the world are claiming that Oracle is potentially negatively impacting its customers by avoiding even simple security adjustments.
According to a Dark Reading report, there are now several professionals attacking Oracle.
Vulnerabilities left uncorrected for long periods of time
A major point of contention between Oracle and database administrators is the fact that Oracle lagged in its efforts to produce patches to resolve any weaknesses. Security professionals told Dark Reading that this has been getting worse over the past several years, increasing rapidly as Oracle continues acquiring smaller database firms.
"I'm not sure why. Maybe it is just coincidence but maybe now they're just spread across so many products that the security blanket is just too short," McAfee chief technology officer Slavik Markovich said, according to Dark Reading.
Relying on reputation alone is not enough
Dark Reading noted a blog that was written last year by an Oracle executive that stated the company was producing fewer patches because its code was maturing and, as a result, any vulnerabilities would be weeded out by the process. He went on to say that the company was expecting fewer problems in the coming years as each critical patch was released.
These statements, however, did not sit well with database customization and security stakeholders.
"I think it kind of flies in the face of what Eric Maurice wrote when he said database code has matured," Alex Rothacker of Team SHATTER from Application Security said, according to Dark Reading. "If they've been sitting on this for four years and haven't done anything until now, it makes me wonder what else are they sitting on that they haven't fixed."
Possible disservices to customers
Rothacker noted that security costs often migrate from Oracle to the customer's responsibility. Other security experts believe that Oracle needs to spend large amounts of money to fix security issues and, when the organization fails to do so, those expenses weigh heavily on the end-user, as unforeseen vulnerabilities can be costly, the news source noted.
Additionally, past security patches are released much more quickly than may be necessary. This may be an attempt to drive customers to leverage updated database services, but this isn't always an option for companies, especially if the organizations are small.
Finally, throughout the process of discovering the breach, Oracle has continued to butt heads with security researchers.
Disagreements cause headache
Koret told Dark Reading that Oracle credited him with helping update the patch. The company then emailed him saying that the 2008 weakness was fixed through a patch.
"Then it turned out the vulnerability wasn't fixed at all and there was no patch because, they said, 'the vulnerability was fixed in later versions,'" Koret told the news provider.
Rather than deploying a patch to resolve the current issue, Oracle simply continued forward and ensured the same weakness was not present in future databases, Dark Reading said. This led many security professionals to believe that Oracle dropped the ball and made a mistake, which led to tension between researchers and the company.
"I do not think that the way Oracle handled this issue was smart," database security expert Alexander Kornbrust said, according to Dark Reading. "Their communication was bad."