Gartner has warned that Oracle databases no longer deserve their reputation for security and advised sysadmins to do more to protect their systems.
Analyst Rich Mogull came out with the warning on Monday, a few days after Oracle released its latest round of patches for a large number of serious security problems. "Oracle can no longer be considered a bastion of security," he said in a research note.
The patches fixed 82 vulnerabilities across Oracle's various product lines, with the flagship database alone counting 37 bugs, some of which could allow remote access to databases. "The range and seriousness of the vulnerabilities patched in this update cause us great concern," Mogull said. "Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur."
He said administrators often neglect to patch regularly because of Oracle's historically strong security and the fact that Oracle applications and databases are often not directly exposed to the outside world. "Moreover, patching is sometimes impossible, due to ties to legacy versions that Oracle no longer supports," Mogull said.
Administrators need to wake up, however, to the fact that they are no longer secure, with Oracle vulnerabilities being discovered and disclosed increasingly often, and more exploit tools and proof of concept code circulating online.
Oracle doesn't help the matter by supplying less information about bugs than the industry standard, and publishing patches that are faulty or difficult to use, Mogull said. Oracle also doesn't supply workarounds.
Gartner recommends administrators to shield their systems with technologies such as firewalls and intrusion prevention systems, apply patches as quickly as possible, and to use security monitoring tools and other supplemental security methods.
Oracle users also need to pressure the company to change its security practices, Mogull said.
The company has been taken to task several times recently over the poor quality of its patches, several of which have had to be themselves patched - with some of these fixes also having to be fixed. However, Gartner's warning gives such criticisms a new level of prominence.
One of Oracle's most vocal critics, Alexander Kornbrust of Red Database Security, last spring even released a rootkit which he said demonstrates weaknesses in Oracle databases.
Kornbrust said this week he will release version 2.0 of the rootkit at this spring's Black Hat Conference, according to a report. Kornbrust said the new version will allow attackers to disguise attacks without modifying database views, and will erase evidence of a hack whenever the database is restarted.