A slew of vulnerabilities addressed by Oracle Corp. in August continues to frustrate DBAs, resulting in sharp criticism
from analysts at Gartner Inc., who say the database software vendor needs to release more details about the flaws.
Oracle continues to remain mum on security patch 68, which addressed in late August more than two dozen flaws discovered earlier this year. DBAs have complained that they were left in the dark on exactly what flaws the patch addresses and whether there are any workarounds.
"This makes it much more difficult for enterprises to effectively patch their systems or use alternate security measures as temporary defenses," said Rich Mogull, a research director at Gartner. "I've heard some horror stories from clients trying to navigate the patch and update process to fix their systems."
The flaws had been found in versions 8i, 9i and 10g database, Oracle application server and enterprise manager software. The vulnerabilities were identified in February by David Litchfield, a well-known vulnerability-finder and co-founder of Next Generation Security Software, which is based in Sutton, England.
Oracle's database server and application server are at high risk because attackers with network access could exploit the DBMS without a valid user account and password.
Some customers are struggling to first update systems to a revision level they can patch, causing some applications to fail in the process. DBAs are then applying a patch without knowing what it does and if it will break a system, Mogull said.
Oracle said it was releasing murky details on the areas affected most by the flaws because of the severity of the vulnerabilities.
The company also responded to criticism that it waited six months before releasing fixes to the vulnerabilities; it outlined a new monthly patch schedule, similar to a program run by Microsoft. Oracle said it knew about the vulnerabilities in February but waited to release a full fix rather than a partial fix to customers.
An updated patch schedule can be helpful since it allows managers to better prepare for system updates, Mogull said. But Oracle also needs to provide clearer guidance on whether the patches can work, even if unsupported, on older versions of Oracle.
"Oracle has done many things right over the years with security, but this current response is not up to industry best practices and is creating confusion for their clients," Mogull said.
Last week Gartner released a short report that outlined recommendations to appropriately address the flaws. Gartner is urging its clients to apply the Oracle-supplied patches immediately if they use a supported version of the software.
Customers using a non-supported version of Oracle, such as 7.x or 8.0x, should consider an immediate upgrade or switch to an alternative product.
When specific details of the exploits are released, Oracle customers should determine whether a SQL .NET-capable deep-packet inspection firewall or intrusion prevention system could be set up to detect and shut down attacks, according to the report.
Arup Nanda, a security expert and Norwalk, Conn.-based DBA who is president of Proligence, an Oracle consultancy, said some DBAs have been forced to take entire systems out of production to address the issues.
"DBAs need to be absolutely certain that they need the patch and need to be able to determine how much downtime is needed and whether certain systems can stay online," Nanda said.