Oracle on Tuesday unleashed its quarterly critical patch update, which included just two fixes for vulnerabilities in its Oracle Database Server, one of the lower totals seen from the company in recent years. There are a total of 78 patches for a wide variety of Oracle products available today, including Fusion, PeopleSoft and the Sun Product Suite.
Oracle has been on this quarterly update schedule for some time now, and it typically releases its fixes in the middle of the first month of each quarter. When Oracle released its initial pre-release announcement for the January CPU late last week, it had a placeholder announcement saying the patches would be released on Jan, 19. Soon after, however, the company removed that announcement and put up another saying they would be published on Jan. 17 as planned.
The most serious vulnerability in this quarter’s release rates a 7.8 on the CVSS scale and is a flaw in Solaris. Six of the 17 vulnerabilities in the Sun Products Suite are remotely exploitable. Only one of the vulnerabilities in the Oracle Database Server that’s fixed in today’s release is remotely exploitable, the company said.
The method that Oracle uses to prioritize its release of patches is fairly opaque, and some researchers say that the company has a backlog of vulnerabilities that have been reported in the last few months but didn’t make it into this quarter’s CPU. Oracle typically doesn’t provide any real explanation of why one bug was patched and not another.
“CPU’s are supposed to not have negative effects on third party and custom applications that are backed by the database, so some security issues, even extremely severe ones get fixed on the slower Patch Set cycle, where they also get a lot less attention and no CVE entries. Past CPU’s have also not always fixed all issues in all versions, and have resulted in re-releases of CPU’s or silently fixing issues in later CPU’s. I can only speculate that there are many engineers involved in patching, merging the patches and testing and mistakes apparently happen,” said Alex Rothacker, director of security reswarch at Application Security’s TeamSHATTER.
“The kind of bugs that we keep finding in new features and products, especially XSS and SQLi in Oracle Enterprise Manager, run afoul of Oracle’s claim that they have succeeded with a more secure development lifecycle. Overall, while finding Oracle vulnerabilities is not the low hanging fruit it used to be four to five years ago, it’s still easy enough to find them. If TeamSHATTER researchers can find these vulnerabilities, there is no reason why bad guys can’t find them.”
While Microsoft has really made huge strides in making SQL Server secure, Oracle is still lagging far behind. Lip service in blog posts is no replacement for actually turning your engineering culture around.