Oracle under fire over 'Severity 1' bug secrecy

Oracle's refusal to release more specific information about a recently uncovered 'Severity 1' security vulnerability affecting its products leaves the firm's customers open to increased risks, Gartner has warned.

According to the analyst firm, on 9 November 2004, in a conversation with Gartner, Oracle declined to provide more detailed information about what vulnerabilities its security patch 68 is meant to fix.

The database giant insisted that this approach was in accordance with its standard policy.

Oracle first issued the security patch on 31 August and reissued the warning on 14 October after proof-of-concept exploit code began circulating on the internet.

The patch affects Oracle Database Server, Application Server and Enterprise Manager. Oracle has given these patches its most serious 'Severity 1' rating.

"Oracle refuses to provide more details about the consequences for users if they do not apply security patch 68," a Gartner advisory by analysts Neil MacDonald and Rich Mogull warned.

"Furthermore, Oracle has not said whether the vulnerabilities affect older, non-supported versions. At worst, records in every Oracle database you own could be vulnerable."

Gartner has acknowledged that making detailed information public could help hackers and lead to successful exploits.

However, the analyst stressed that providing details of an exploit differs from offering information about the implications of not protecting against that exploit.

"We believe that Oracle is erring by refusing to discuss how vulnerable customers are if they do not apply the patch," Gartner stated.

"System administrators do not have enough information to decide what to do (for example, which servers to prioritise or which data is most vulnerable), and this could delay the implementation of patches."

According to Oracle, an exploit against these vulnerabilities would look like a legitimate SQL*NET conversation and not depend on 'bad' or malformed SQL*NET commands that could be easily blocked.

The Gartner advisory went on to state: "If Oracle would provide more information about the nature of the vulnerability, customers might be able to proactively set up inspection safeguards, such as deep-packet inspection firewalls, intrusion prevention systems and application firewalls with SQL*NET capabilities."

Gartner advises firms using a supported version of the affected software to apply the Oracle-supplied patches immediately.

The analyst firm said that companies with older, non-supported versions of Oracle, such as 7.x or 8.0x, should consider an immediate upgrade or switch to an alternative product.

Additional protection can be gained by determining whether it is possible to set up an SQL*NET-capable deep-packet inspection firewall or intrusion prevention system to detect and shut down attacks, Gartner's advisory stated.

The report also advised Oracle customers to consider field-level encryption to protect data from unauthorised access, and to check Oracle's Metalink FAQ frequently for information on this patch.