16 January 2008, 13:34

Security updates from Oracle fall on stony ground

Oracle rang in the New Year with a critical patch update aimed at fixing vulnerabilities in several of its products. With a total of just 26 fixes, the vendor is taking a relaxed approach to the security situation this time round. There are eight patches for different database versions, although Oracle claims that none of the vulnerabilities they have fixed can be exploited remotely without authentication. These include SQL injection vulnerabilities. The situation is somewhat different for the Oracle Application Server, where five of the six vulnerabilities dealt with are remotely exploitable without authentication. Two of the vulnerabilities have a CVSS score of 9.3 (on a scale of 1 to 10), which makes them critical.

The vendor has also fixed seven vulnerabilities in Oracle E-Business Suite and Applications, three of which can be exploited over a network without authentication. Oracle does not explain exactly how these vulnerabilities may be exploited, but with a maximum CVSS score of 5.5, they are not too critical anyway. Finally, there are four fixes for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne. Further details are given in the vendor's original report.

However, a survey carried out by database security specialist Sentrigo has expressed doubts about whether the report and the updates are being taken seriously. When asked if they had ever installed an Oracle critical patch update, two thirds of database administrators, developers and consultants answered 'no'. Only ten percent of respondents said they had applied the latest Oracle patches.

These findings agree with the experience of other database security specialists such as Red Database Security, based in Germany. Sentrigo offers no explanation for the apparent reluctance to apply these patches. But the service provider assumes that the headaches involved in achieving error-free installation of the patches and the maintenance time required is putting administrators off.