Oracle’s acquisition of PeopleSoft and Retek for more than $11 billion in recent months, together with the planned purchase of Siebel for $5.88 billion, will transform the company into an enterprise software giant.
But there are signs of danger ahead for the Redwood Shores, Calif. company as reports of a backlog of unfixed software holes and buggy product patches cause some to wonder whether the database software pioneer is headed for a security crisis.
In the last year, Oracle Corp. was muddied by a series of mishaps and missteps that include faulty product patches and withering criticism from independent security researchers, who charge that the company lacks security discipline.
The company’s senior security officer defends Oracle’s ongoing work to improve the security of its products. But experts are concerned that Oracle lacks a coherent plan to make all its products more secure.
In July, Oracle was forced to fix an already released software patch after security researcher David Litchfield of NGS Security Software Ltd. in Surrey, U.K., discovered that a database patch it released in April didn’t properly install fixed files on machines that were vulnerable.
In August, Litchfield stung Oracle again with an analysis of the company’s OPatch utility, which he said gave Oracle customers the impression that their servers were adequately patched, when they often were not.
Speaking with eWEEK Magazine, Oracle CSO Mary Ann Davidson admitted that the company had a problem with one of 100 issues that it fixed in its most recent quarterly Critical Patch Update (CPU).
Davidson admitted that the company did not adequately check to make sure that the patch components were installed correctly on Oracle systems where the patch was applied.
The company has addressed the problem by having Davidson’s security group test outgoing patches before they are shipped. In the long term, Oracle will implement a full test suite to evaluate product patches.
Oracle has also come under fire for its slow response to security holes that are discovered by independent security researchers.
In July, Alexander Kornbrust, CEO of Red-Database-Security GmBH in Neunkirchen, Germany, published advisories for six, unpatched holes in Oracle Forms and Oracle Reports, including one “high risk” hole that was more than two years old and could be used by a remote attacker to overwrite files on an Oracle application server with nothing more than a Web url.
Kornbrust said he released the advisories after becoming impatient with Oracle’s slow response.
In e-mail and phone conversations with eWEEK, he painted a picture of a company that does not communicate well with outsiders and seems reluctant to take responsibility for flaws in its products.
“You send an e-mail to Oracle. The same day you get an answer that they’re looking into problem, but then nothing happens,” he said.
Kornbrust said he has information on many, critical bugs that are more than two or three years old.
The same is true at Argeniss Information Security in Argentina, where founder and CEO Cesar Cerrudo said his researchers have discovered many buffer overflow and SQL injection holes on Oracle database functions that are accessible to any database user, in addition to holes that could be exploited in remote attacks that don’t require the attacker to log in to the database and could be used to crash a database server.
“Some of these holes are very easy to find, so I don’t know why Oracle hasn’t patched them,” Cerruda said.
Next Page: Unpatched holes keep adding up.