Over the past two months, InfoWorld has been researching a flaw in Oracle’s flagship database software that could have serious repercussions for their customers, potentially compromising the security and stability of Oracle database systems. There is a very detailed article at the link provided above, and a follow-up from InfoWorld here. The “boiled down” version:
The flaw could make any unpatched Oracle Database vulnerable to attack, and could pose a special risk to large Oracle customers with interconnected databases. Both vulnerabiilties stem from a mechanism that most Oracle DBAs seldom deal with. At the core of this issue is the System Change Number (SCN) in Oracle. This is a number that increments sequentially with every database commit and is crucial to normal Oracle database operation. The SCN is also incremented through linked database activities.
The SCN “time stamp” is the key to maintaining data consistency in Oracle, allowing the database to respond to every query with the appropriate version of data at a given point in time. It works like a clock for database transactions, and like time, cannot move backwards.
When Oracle databases link to each other, they synchronize to a common SCN to maintain data consistency. This is the highest SCN carried by any participating Oracle database instance because the SCN clock runs forwards only. Only very basic permissions are required to make a connection that can cause one database to increment the SCN on another.
Oracle’s architects knew the SCN needed to be a massive integer. It is a 48-bit number (281,474,976,710,656). It would take eons for an Oracle database to eclipse that number of transactions and cause problems, or so you might think… Continue reading →
Oracle releases patches for all of its software except Java quarterly, in a set of patches it calls a Critical Patch Update (CPU). The next CPU is due on Tuesday, April 19th. Oracle is planning on releasing 73 security patches for various software products in that CPU, including 6 for its flagship database software. Two of the database vulnerabilities are considered critical, meaning they may be exploited over a network without the need for a username and password.
9 patches are expected for Oracle Fusion middleware, 14 for PeopleSoft Suite, and 8 for JD Edwards Suite. Oracle will patch many of its Sun products, including Solaris, and some of the Java server software. However, the widely used Java SE and Java for Business client software are not scheduled to be updated in this release. The June 7th and Oct. 18th CPUs are expected to include the Java platform. Definitiely out of synch with the next CPU for the rest of Oracle’s products, which is due July 19th.
According to 430 Oracle database admins surveyed by the Independent Oracle Users Group, security remains a major problem.
The survey released last month, found that fewer than 30% encrypt personally identifiable information (PII) in all of their databases, while about 75% acknowledge their organizations cannot prevent privileged database users from reading or tampering with HR, financial or other stored business application data.
The survey shows organizations aren’t applying sufficient resources to improve security, and that there’s been little change in the results from last year’s survey, which indicated that more than two-thirds of the DBAs it polled said they had never installed an Oracle patch on their database servers, no matter how critical the vulnerabilities that were being patched.
About 66% of the 2010 survey respondents admitted there was no way to detect or prove that the database administrators were not abusing their privileges in their organizations.
64% said they don’t monitor database activity.
Close to half of the respondents said a user with “common desktop tools” might be able to gain unauthorized direct access to sensitive information stored in databases.
Less than 33% of those monitoring are watching for sensitive reads and writes.
Patch management is problematic for Oracle database admins, with 37% saying most patch after three months.
6% said they were aware of an enterprise data breach, compromise or tampering over the past year.
Next Tuesday looks to be another busy one as Microsoft and Oracle ratchet up the patch engine. October tends to be a high volume month, as we approach the holiday/vacation season.
October 12th looks set to produce a record number of security update bulletins. An estimated 16 Microsoft bulletins addressing 49 vulnerabilites and Oracle issues 81 patches. Detailed information can be found in the advance notification bulletins.