Oracle Corp.'s first quarterly Critical Patch Update of 2014 included fixes for 144 total vulnerabilities last week in a wide range of its software, but one expert fears many more unpatched vulnerabilities may be looming in Oracle's latest database product.
Redwood Shores, Calif.-based Oracle Corp. patched 36 Java vulnerabilities alone. Five of those vulnerabilities merited the Common Vulnerability Scoring System's (CVSS) highest score of 10 based on the severity of the flaws, said Eric Maurice, Oracle's software security assurance director, in a blog post, while another five warranted a score of 9.3. Among the vulnerabilities, 34 are remotely exploitable.
Separately, the Oracle-owned MySQL database management system received 18 patches, including one with a 10 CVSS score. In contrast, only five patches were applied to Oracle Database this round.
Amichai Shulman, co-founder and chief technology officer (CTO) for Redwood Shores, Calif.-based database security vendor Imperva Inc., said the number of Oracle Database patches in the January 2014 CPU was surprisingly low, possibly signaling a chokepoint within Oracle that limits the number of security updates the company is able to push out at a time.
"Take Java and MySQL. I don't recall in the past year a tremendous change of architecture in both those products, yet we keep seeing vulnerabilities popping up," Shulman said. "Oracle's database server has gone through a dramatic change over the past year. Oracle 12c is an architecture change; it's a dramatic change. Do I believe this product is now so robust that by now there are only five medium-to-low risk vulnerabilities in it? I don't think so."
Shulman said it's likely that Oracle 12c, the latest version of the vendor's relational database management system, hasn't yet been thoroughly combed over by attackers, or that there are vulnerabilities that have already been reported to Oracle but have not yet been fixed.
"I think that we can expect to see quite a lot of [database patches] in the next CPU. I think the story of this CPU is really the numbers for Java, for MySQL, for Oracle business applications, and what it tells us about those vulnerabilities that we do not see."
Despite what Shulman described as the "tremendous effort" by Oracle to secure Java, he noted that both the vendor and outside researchers still find severe vulnerabilities in Java on a regular basis. He called for companies to stop relying on software to protect itself.
"We need an additional security layer that protects" software, Shulman said. "And it's really not a matter of, 'Let's invest a little more to write better code.' It's inherent to the fact that software today is very complex … and it's very difficult to weed out all of it."
At least in the case of mitigating MySQL database vulnerabilities, Wolfgang Kandek, CTO of Redwood City, Calif.-based vulnerability management vendor Qualys Inc., said attackers are generally able to exploit them if they can connect to them, so companies should simply be sure to keep MySQL databases disconnected.
"It's quite common nowadays to find MySQL databases on the Internet. It's certainly not what you should do," said Kandek, "but things like cloud computing make it very easy to set up these databases and it can happen that you make configuration mistakes and possibly expose the MySQL port to the world."
Kandek also noted that this month saw Oracle release a new version of its Outside In file-format technology, which is used in Microsoft Exchange. An update to Outside In usually triggers a new version of Exchange around two months later, Kandek said, so expect Microsoft to update Exchange accordingly as part of its March Patch Tuesday release.