By Jeremy Kirk
IDG News Service
30 January 2006
Oracle and a security researcher have fallen out over a vulnerability
in the company's software that has gone unpatched since it was
discovered in October.
The company is warning its customers not to use a workaround written
by David Litchfield for a security vulnerability, claiming the
suggested workaround could break its software.
Litchfield, managing director of Next Generation Security Software
Ltd. in Sutton, England, said he posted the fix on the BugTraq mailing
list on Wednesday after warning Oracle about the dangers the
Oracle was notified of the workaround before it was released, but has
found it "inadequate," said Duncan Harris, Oracle's senior director of
security assurance. It will break a large number of E-Business Suite
applications, he said.
"We know it will break a number of Oracle products higher in the stack
than the Oracle Application Server that the vulnerability exists in,"
Oracle has issued several patches for the vulnerability over past four
years, none of which worked, Litchfield said Friday.
The vulnerability affects Oracle Application Server, Oracle Internet
Applications Server and Oracle HTTP Server. The vulnerability lies
with the PLSQL gateway, a bit of code that allow Web-based users to
interact with PLSQL applications in the backend database server,
Litchfield said. The gateway passes a user request to the backend
database server and executes there, he said.
"Someone can come in off the Internet over the Web without a user ID
or password and interact with the backend database server, so it goes
through all the firewalls," Litchfield said. "This is critical."
The fix is "trivial" and he doesn't understand why a patch was not
included in Oracle's Critical Patch Update last week. When a fix
wasn't issued, Litchfield said he thought "well, you know I'll do it
then. Christ, it's not difficult."
But Harris contested that assumption. "Compared to some others, this
one is extremely difficult to fix and test it thoroughly," he said.
Oracle prioritises vulnerabilities as far as patching, Harris said. So
far, no exploit code has been released. If exploit code is released,
Oracle could push out a quick one-time emergency patch, Harris said.
The next patching round is scheduled for April, and whether this
vulnerability is fixed will depend on if there are other more pressing
ones, he said.
Nonetheless, Harris assailed Litchfield's action.
"By just revealing what he has in this workaround, it definitely is a
very strong starting point for any malicious hacker...to try and
understand the vulnerability and produce an exploit," Harris said.
"Yes, we are clearly disappointed that he felt the need to say
anything about this vulnerability before we had a patch available."
Litchfield said he didn't reveal specific details of the vulnerability
on BugTraq. Oracle lags other software vendors in fixing bugs, he
said. "They are well behind the curve at the moment."
Earlier this week, Gartner analyst Rich Mogull wrote that Oracle could
no longer be considered a bastion of security a few days after the
company fixed 82 vulnerabilities in its products. Oracle hasn't had a
mass security exploit, but more proof-of-concept code and exploit
tools are circulating online, he wrote in a research note.
Responding to Gartner, Oracle said in an e-mail statement to IDG News
Service that it started a quarterly patch update program and is using
code scanning analysis software from Fortify Software Inc. to increase
the quality of code. Oracle licensed the code scanning tools for its
Server Technologies group, which handles development of its database,
application server, identity management and collaboration suite
"We are continually evaluating our security development processes, as
well as looking at ways to further strengthen our overall product
security," the statement said.
InfoSec News v2.0 - Coming Soon!