View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 20, 2011

Imperva slams Oracle patching methods

It needs fixing, CTO says

By Steve Evans

Oracle

Oracle’s recent massive Critical Patch Update has drawn the wrath of Amichai Shulman, CTO at security firm Imperva.

Oracle’s most recent quarterly security update contained 66 patches for 28 products, including vulnerabilities in Audit Vault, Open Office, Oracle Database 10g and 11g, JRockit, Solaris and WebLogic. The firm listed 34 bugs as "remotely exploitable without authentication" and gave several a score of 10, the most severe of vulnerabilities on the Oracle Common Vulnerability Scoring System (CVSS).

Shulman said the patching process "needs fixing" and Oracle should be releasing patches much more often than every quarter.

"In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities," he said. "However, the quarterly patch cycle has seen a slowdown in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can’t believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities."

Shulman also questioned how much patching is going on at Oracle: "In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products."

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening," Shulman continued.

"Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing," he added. "This lack of transparency is outrageous behaviour. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers."

Writing on the company’s Global Product Security blog, security assurance director Eric Maurice defended Oracle’s patching.

"The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products," he wrote. "Critical Patch Updates are issued on a predictable schedule published a year in advance. The CPU documentation is consistent across all product lines and leverage industry standards such as CVSS and CVE. Very importantly as well, Oracle’s fixing and disclosure policies are transparent and are designed to provide equal protection to all Oracle customers."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU