Imperva CTO blasts Oracle patching

Oracle's patching system needs fixing, according to Imperva's CTO.

Oracle

Oracle should patch database vulnerabilities more frequently and be more open about what the flaws are, a security expert has claimed.

Imperva chief technology officer (CTO) Amichai Shulman said Oracle used to issue fixes on a more regular basis, even when they had far fewer products.

"One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products," Shulman said.

"The quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year."

Shulman said he could not believe "there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities."

Furthermore, the CTO said Oracle did not elucidate enough on what the vulnerabilities were.

"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits," he added.

"Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening."

Oracle chose not to comment on Shulman's statement.

However, Oracle has included a new document in the critical patch update to help administrators better understand the related security vulnerabilities.

"This text summary of the risk matrices will always include the same information as the standard risk matrices, and is designed for individuals who may not be very familiar with the application of the CVSS standard and its interpretation," Oracle said in a blog.

Shulman's comments came a day after Oracle released its January 2011 Critical Patch Update, which covered 66 vulnerabilities across a range of products.

A total of 16 fixes were for Oracle's Fusion Middleware offering alone two of which had maximum CVSS Base Score of 10.0.

A fix for an Oracle Audit Vault vulnerability, which was also handed the maximum CVSS Base Score, was issued.

"We are seeing fixes for remote execution without authentication, which is very severe," Shulman added.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020
36 billion personal records exposed by hacks in 2020 so far
Security

36 billion personal records exposed by hacks in 2020 so far

29 Oct 2020
Trump website defaced in second successive cyber breach
Security

Trump website defaced in second successive cyber breach

28 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020