It needs fixing, CTO says
Oracle’s recent massive Critical Patch Update has drawn the wrath of Amichai Shulman, CTO at security firm Imperva.
Oracle’s most recent quarterly security update contained 66 patches for 28 products, including vulnerabilities in Audit Vault, Open Office, Oracle Database 10g and 11g, JRockit, Solaris and WebLogic. The firm listed 34 bugs as "remotely exploitable without authentication" and gave several a score of 10, the most severe of vulnerabilities on the Oracle Common Vulnerability Scoring System (CVSS).
Shulman said the patching process "needs fixing" and Oracle should be releasing patches much more often than every quarter.
"In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities," he said. "However, the quarterly patch cycle has seen a slowdown in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can’t believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities."
Shulman also questioned how much patching is going on at Oracle: "In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products."
"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening," Shulman continued.
"Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing," he added. "This lack of transparency is outrageous behaviour. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers."
Writing on the company’s Global Product Security blog, security assurance director Eric Maurice defended Oracle’s patching.
"The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products," he wrote. "Critical Patch Updates are issued on a predictable schedule published a year in advance. The CPU documentation is consistent across all product lines and leverage industry standards such as CVSS and CVE. Very importantly as well, Oracle’s fixing and disclosure policies are transparent and are designed to provide equal protection to all Oracle customers."