Imperva CTO blasts Oracle patching

News 19 Jan, 2011

Oracle's patching system needs fixing, according to Imperva's CTO.

Oracle should patch database vulnerabilities more frequently and be more open about what the flaws are, a security expert has claimed.

Imperva chief technology officer (CTO) Amichai Shulman said Oracle used to issue fixes on a more regular basis, even when they had far fewer products.

“One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products,” Shulman said.

“The quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year.”

Shulman said he could not believe “there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.”

Furthermore, the CTO said Oracle did not elucidate enough on what the vulnerabilities were.

“Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits,” he added.

“Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.”

Oracle chose not to comment on Shulman’s statement.

However, Oracle has included a new document in the critical patch update to help administrators better understand the related security vulnerabilities.

“This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation,” Oracle said in a blog.

Shulman's comments came a day after Oracle released its January 2011 Critical Patch Update, which covered 66 vulnerabilities across a range of products.

A total of 16 fixes were for Oracle’s Fusion Middleware offering alone – two of which had maximum CVSS Base Score of 10.0.

A fix for an Oracle Audit Vault vulnerability, which was also handed the maximum CVSS Base Score, was issued.

"We are seeing fixes for remote execution without authentication, which is very severe," Shulman added.