Oracle acts quickly to patch up security sinkhole
InfoWorld spares Oracle’s blushes after unearthing fundamental design flaw in various database products.
Oracle yesterday acted swiftly to fix a fundamental design flaw
after being tipped off by an InfoWorld investigation.
January’s Critical Patch Update brought 78 security fixes – 16
of which were deemed critical to patch up a collection of their
database products such as Oracle Database Server, Fusion
Middleware, E-Business Suite, Oracle Sun products, MySQL,
VirtualBox, and PeopleSoft.
Following Infoworld’s investigation that discovered a SCN ‘time
stamp’ problem right at the heart of Oracle’s databases, Oracle
resolved to fix the problem before it got out of hand – and more
importantly affected some of their most lucrative partners. The six
page article details the entire problem and deserves your
Oracle, recognising that a remote attack could be
imminent, advised those affected to act as soon as possible to
avoid a long-term problem that could paralyse their systems. They
said in their advisory:
Due to the threat posed by a successful attack,
Oracle strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may
be possible to reduce the risk of successful attack by blocking
network protocols required by an attack.
Oracle offered two temporary solutions but clarified that they
wouldn’t be suitable in the long-run:
For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
Security problems within Java have long been a thorn in Oracle’s
side, who have quite frequently been deploying security patches by
the month to combat widespread bugs. But this slip-up could have
been a lot more costly had InfoWorld not divulged in the
information before it went to the press.
Next month’s patch-up will tackle the Java Runtime Environment –
as needed as ever, especially after Kaspersky Labs listed Java in
its Top 10 Vulnerabilities in the second quarter of last year and
Microsoft warned consumers to patch up for Winter, reckoning
that Oracle’s platform was rife with hackers.
With security problems cropping up so often, Oracle need to
create a plan of action now before a bigger architectural problem
cripples their portfolio.