Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Alexander Kornbrust has an advisory for CPU - January 2005"] [Next entry: "Search Oracle talks about the Critical Patch Update"]

Alexander Korbrusts upcoming Oracle security bugs



I was browsing Alex's newly updated site and found that he has added quite a bit of content compared to its previous state (simply a logo and three or four text advisories). Alex is a bug hunter extraordinaire as he has found a large amount of security bugs in Oracle over the last few years.

One of the most interesting pages on Alex's site is his page Upcoming Security Alerts which lists 27 bugs Alex has found in Oracle products and one in BEA. The Oracle bugs are not part of a patch release yet by Oracle. Some are classed as high or medium severity but most are classed as low severity. The table also includes a reference number allocated by Alex and also the date the bug was reported to Oracle. Most were reported in 2003, the earliest in July 2003 some 18 months ago. Almost all of them have been reported for at least one year. Whilst Oracle have made great progress with the type of information included in the newest advisory released on 18 January they clearly need to make a lot of progress on the timescales taken from someone reporting a security bug to them to the point that it is fixed. The contents of these bug reports are known to Alex and the Oracle team but that doesn't mean to say that others, malicious or not have not found the same bugs in this timescale.


I also note that Alex's numbering scheme means that he has found at least 42 security bugs, assuming there are no gaps in the numbering scheme. This is also a substantial number of security bugs for one person to have found over an 18 month period.

Out of interest the same page on Alex's site also includes a link to the NGS site that lists bugs that they have found that are not fixed yet. This page also includes 16 security bugs found in Oracle mostly classed as high severity that also have not been patched yet. This gives a total of 43 security bugs in Oracle that are known by researchers and Oracle that are not yet patched. The NGS bugs are listed as being reported on 9/9/2004 so most are more recent than Alex's bugs.

I hope Oracle are planning to fix these bugs quickly. I can understand that fixing bugs in software written for a lot of platforms can take a lot of time but 18 months does sound far too long. I hope that Oracle can make great progress on this front just as they have done on the information in their new advisories.