Oracle Critical Patch Update for April 2008

Comments on database security notice.

 

I just received my notification for the April 2008 security update from Oracle. Some information can be found here, and scroll down to the ‘Oracle Database Risk Matrix’. Unlike some of my peers in the industry, I have usually been pretty happy with the patches that come from Oracle for security. What is more, they tend to release security patches on a very regular schedule, so the DBA in me appreciates this consistency both because Oracle has trained me to look for it, and subsequently can plan the deployment of the patch into my normal workflow.

What bugs me is the lack of information pertaining to the threat, or what the real issue is, when looking at the contents of the security patches. Why the lack of details? I am not too sure if this is because they have the mindset that they do not want to reveal too much information to would-be hackers, which is a laughable assumption, or if this is some legal mumbo-jumbo to reduce liability. Regardless, it’s annoying. I want to understand the threat so I can take appropriate action; for example I may not agree with Oracle’s threat assessment and desire an interim workaround prior to deploying a patch. Or I might alter my normal deployment schedule if I deem the risk too great to delay. But you cannot assess the urgency of the patch, or take appropriate action if you have no clue as to the nature of the threat, so in fact the customer has little information that is helpful.   ‘Critical Patch’ is only marginally more informative than ‘Threat Level: Orange’.

More important to this discussion: Oracle does not assign risk for your business. You do. Even if Oracle could produce a satisfactory definition for “Base Scores”, (here is a blog post that does a better job than the official Oracle documents) it is irrelevant to understanding the threat to your business. A database is not a standalone entity; rather it can have multiple audiences, applications, processes and users. If you’re going to provide a ‘Risk Matrix’, you need to include some information that is pertinent to the risk, not a list of code areas affected. Two completely different concepts that they have merged together as if they were equivalent. 

I don't think you need to jump out and install this ASAP, despite what some of the sensationalistic journalism based this patch release. The Oracle advisory states “1 of these database vulnerabilities may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password.” But the ‘Risk Matrix’ lists Oracle 11.1.6 as the version affected. Even if the Oracle Base Score was considered a ‘10’, a complete system compromise, does this have an impact to you? As 11 is the only release affected, making the comments about databases being a ‘Sitting Duck’  are a little overblown IMO. I am unaware of any corporate client of ours who has gotten Oracle 11 out of the lab and into production, so the scope of this threat is minimal.

What does concern me is when areas of the code like DBMS_CDC_UTILITY and SYS.DBMS_AQ which are complex and have had vulnerabilities over time. Hackers tend to learn the nuances about specific modules and then attack them over and over again, thus why we see a chain of vulnerabilities against specific modules over time. But those modules tend to be the ones that were not designed with security in mind and why they were targeted to begin with.

I will post more once I get a chance to review the patches more thoroughly, so while I recommend you apply it when you get a chance, I do not see anything that is a huge hair on fire threat.