Disaster avoided with quick critical fix patch
Oracle acts quickly to patch up security sinkhole
Oracle yesterday acted swiftly to fix a fundamental design flaw after being tipped off by an InfoWorld investigation.
January's Critical Patch Update brought 78 security fixes - 16 of which were deemed critical to patch up a collection of their database products such as Oracle Database Server, Fusion Middleware, E-Business Suite, Oracle Sun products, MySQL, VirtualBox, and PeopleSoft.
Following Infoworld's investigation that discovered a SCN 'time stamp' problem right at the heart of Oracle's databases, Oracle resolved to fix the problem before it got out of hand - and more importantly affected some of their most lucrative partners. The six page article details the entire problem and deserves your attention.
Oracle, recognising that a remote attack could be imminent, advised those affected to act as soon as possible to avoid a long-term problem that could paralyse their systems. They said in their advisory:
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack.
Oracle offered two temporary solutions but clarified that they wouldn't be suitable in the long-run:
For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Security problems within Java have long been a thorn in Oracle's side, who have quite frequently been deploying security patches by the month to combat widespread bugs. But this slip-up could have been a lot more costly had InfoWorld not divulged in the information before it went to the press.
Next month's patch-up will tackle the Java Runtime Environment - as needed as ever, especially after Kaspersky Labs listed Java in its Top 10 Vulnerabilities in the second quarter of last year and Microsoft warned consumers to patch up for Winter, reckoning that Oracle's platform was rife with hackers.
With security problems cropping up so often, Oracle need to create a plan of action now before a bigger architectural problem cripples their portfolio.