January 18th marks the 6th anniversary of the Oracle Critical Patch Update (CPU) in its current form as a quarterly patch. For those who remember, before the CPU, Oracle released patches as Security Alerts, the last being Security Alert 68 at the end of August 2004.
In the past 6 years, CPUs have brought a steady stream of security patches to the Oracle Database Management Systems (DBMS) with 71 patches in 2005, 87 in 2006, 73 in 2007, 53 in 2008, and 54 in 2009.
The Downward Trend
However starting in 2010, Oracle has significantly decreased the number of patches in the database with only 32 fixes reported. The trend continues in the first release of 2011 with only 6 database fixes out of 66 total fixes. The bulk of the other 60 fixes are in Oracle Fusion Middleware, PeopleSoft and Solaris. See the chart for number of security fixes to the Oracle Database since January 2005.
In the meantime, Oracle has acquired numerous companies and has incorporated fixes to the respective products into the CPU, steadily growing the total number of fixes. It appears that all these acquisitions have made Oracle lose focus on its core competency. It also shows that Oracle’s security team is getting spread too thin between all these newly acquired products.
Let’s take a further look at the database portion of the most recent CPU. As mentioned above, a total of 66 security issues are fixed in this CPU, with 6 directly affecting the database and 1 affecting Oracle Audit Vault. Here is the drill down:
- CVE-2010-3600 is a flaw in the Oracle Enterprise Manager Grid Control that is remotely exploitable over http without authentication. Oracle is using their Partial+ rating for Confidentiality, Integrity and Availability giving this a CVSS score of 7.5. Using a more traditional interpretation of CVSS would most likely score this at a perfect 10 – the highest possible risk. Either way, for any Oracle Database installation with OEM installed, this vulnerability fix alone makes applying this CPU a must.
- CVE-2010-4423 is a flaw that only applies to Oracle installations on Microsoft Windows. It is exploitable only during installation, modification or update of the database, but does allow for a complete takeover of the database host. For Oracle on Windows this is a must-have patch.
- CVE-2010-4421 and CVE-2010-4420 are both vulnerabilities in the Database Vault option. While this is not a widely deployed option, organizations that are using it generally do so for added security. This is remotely exploitable over http without authentication. Yet another must-have patch.
- CVE-2010-3590 sounds like a blast from the past. Good old Oracle Spatial. This component used to be riddled with security vulnerabilities, with fixes in almost all of the early CPU’s. I had thought that it had been fixed for good, a while ago, but it looks like there is still more. Any Oracle installation that is not expressly using any of the Spatial features should have this component removed, or if it is needed, have it updated.
- CVE-2010-4449 is a flaw in Oracle Audit Vault. Again a total compromise of the host, makes this a must-have patch.
2011 Wish List – Be More Like Microsoft
CPU reports simply don’t have the information to be useful for the DBA’s that would be applying these patches. Each quarter, the releases provide significant difficultly to gauge the real risk level of each vulnerability. CVSS scoring tends to be skewed and Oracle often assigns flaws with lower CVSS scores because of its partial plus ranking. It would also be nice to see additional details on the vulnerabilities, including details on temporary workarounds and attack vectors. When Microsoft issues its patches on Patch Tuesday, they issue a detailed document for each vulnerability – including workarounds and attack vectors.
While I’m on the subject of Microsoft – perhaps Oracle should be more like them in other ways as well. Microsoft SQL Server 2005 and 2008 have been virtually free of vulnerabilities. Microsoft shows a real concern for database security and they have invested heavily in security improvements over the years to ensure organizations don’t spend every quarter fumbling to determine which patches are critical and how they are going to apply every one timely before a hacker exploits the flaws.
More Work To Be Done
To sum it up, there are 3 flaws combined between Oracle Audit Vault and Oracle Database Vault. Both of these products are security options to the database, but with flaws this severe, Oracle might want to go back to the drawing board and rethink how to address security through their complete development cycle.
We know that Oracle relies on many independent security researchers to find these vulnerabilities. As one of those researchers responsible for reporting vulnerabilities; I know that they have a mounting list of flaws to patch. This quarter alone, my team was credited for reporting 3 of the 6 DBMS vulnerabilities. And no, the lack of database vulnerabilities being patched by Oracle doesn’t mean that there aren’t any significant flaws. There is still more work to be done.
Alex Rothacker is the director of security at AppSec Inc.’s Team SHATTER research team.