Oracle released its latest vulnerability list. What this release highlights is the fact that Oracle should provide work-around instructions rather than dogmatically stick to immediate patching as the single alternative.
This one has 88 patches. Only four issues are in the Oracle database server whereas six are in MySQL database server. Key observations regarding the four database vulnerabilities, two are interesting:
- One vulnerability is severe, ranking 9 on a 10 scale. What is significant about this issue? It is the most severe even though exploiting it requires authentication. In this case, the vulnerability is in a component that is installed by default and known to have been vulnerable in the past on more than a few occasions. What does this component do? It allows users to do geometric searches. However, geometric search is not used very widely. Since the geometric search isn’t used very much, so Oracle should recommend, for example, removing the package altogether so only those who need it are exposed to it.
- The second vulnerability is a 7.1 on a 10 scale since it’s a complex exploit—but this seems low. Why? This vulnerability requires two procedures: create library and create procedure. What is of most interest here it the create library capability which maps the OS module to the database—an inherently dangerous process because you could map any OS native code to be mapped as stored procedures accessible through a DB SQL session. We suspect that the vulnerability allows server takeover using uncontrolled mapping, and that the patch reduces the ability to map arbitrary modules. Regardless, a better method would be to simply not allow anyone but an administrator to perform this process.