Oracle Scorned For Paltry Database Patches

  /     /     /  
Publicated : 22/11/2024   Category : security


Oracle Scorned For Paltry Database Patches


With only two of many reported vulnerabilities fixed in Oracles latest update, the database security community questions Oracles patch bottleneck.



Oracles Tuesday release of its critical patch update (CPU) garnered a continuation of criticism from the database security community, with researchers pointing to a mounting list of unfixed vulnerabilities that date back to 2009, even as Oracles rate of releasing database patches continues to plummet. Not counting MySQL updates, which are primarily handled by the open-source community, only two out of the 78 fixes in Tuesdays CPU were database-related, the lowest number released by Oracle since it started quarterly CPU releases.
I am honestly shocked that they only fixed two database vulnerabilities, said Alex Rothacker, manager of Application Securitys research arm, TeamSHATTER.
According to Rothacker, his firm currently has nine vulnerabilities reported in Oracles queue of discovered vulnerabilities. While that might not seem like a lot on its face, he said, one of them dates back to 2009 and five of them can result in privilege escalation. In addition, thats only the vulnerabilities discovered by AppSec researchers. Based on his conversations with those in the community, Oracle has been notified by other vendors and independent researchers about many other vulnerabilities, as well.
Theres definitely more stuff out there than just those nine, Rothacker said.
Rothacker said that because many Oracle customers are loathe to make fixes in their databases anyhow, this lack of pressure is what allows the firm to get away with taking its time on these CPUs.
Wolfgang Kandek, CTO of Qualys, tends to agree that the slow speed at which database patches are generally applied could contribute to Oracle slowing down its pace with these updates.
Database patching is definitely slower than other areas, such as servers or workstations, he said. You can find vulnerabilities and Oracle can fix them, but if customers do not install them or come back to Oracle and say, this is important for me, it makes sense that Oracle could maintain that flow of patch schedule. The rollout schedule is a reflection of how much users actually pay attention to those things.
However, Amichai Shulman, CTO of Imperva, believes there is a bottleneck in the Oracle patching process that needs fixing.
Read the rest of this article on
Dark Reading
.
Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isnt as simple as it sounds.
Download the supplement now
. (Free registration required.)

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Oracle Scorned For Paltry Database Patches