Contact
QR code for the current URL

Story Box-ID: 399340

Imperva Inc. 3400 Bridge Parkway, Suite 101 94065 Redwood Shores, CA, United States http://www.imperva.com
Contact Ms Darshna Kamani +44 20 7183 2834
Company logo of Imperva Inc.
Imperva Inc.

Imperva CTO Contends "Oracle Patching Needs Fixing"

Severe Vulnerabilities Leave Production Environment Applications Without a Work-Around

(PresseBox) (Redwood Shores, CA, )
Amichai Shulman, CTO, Imperva, a web and database security company has reviewed the Oracle Critical Patch Update which was released today and provides the following analysis:

On the Oracle Patch process:

"Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can't believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.

"In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time. One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products.

"Additionally troubling is that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.

"Without such insight, Oracle customers cannot develop a work-around for their production application and I find it hard to believe a company would patch critical applications without months of testing. This lack of transparency is outrageous behavior. Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers.

On today's patch:

"As for the patch, there are four vulnerabilities rated 10 for severity. We are seeing fixes for remote execution without authentication, which is very severe. For example, the Audit Vault vulnerability allows an attacker to bypass authentication and act as a remote administrator to execute any command on a server installed with Audit Vault agent.

"Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. People soft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules.

"Exploits may emerge over the next few days, but we'll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment."

If you would like further information or would like to speak to Amichai Shulman about these updates, please contact me on 44 207 183 2834 or email Darshna@eskenzipr.com
The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2024, All rights reserved

The publisher indicated in each case (see company info by clicking on image/title or company info in the right-hand column) is solely responsible for the stories above, the event or job offer shown and for the image and audio material displayed. As a rule, the publisher is also the author of the texts and the attached image, audio and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.