Oracle denies researcher's security claims

Oracle and a security researcher have fallen out over a vulnerability in the company's software that has gone unpatched since it was discovered in October.

The company is warning its customers not to use a workaround written by David Litchfield for a security vulnerability, claiming the suggested workaround could break its software.

Litchfield, managing director of Next Generation Security Software Ltd. in Sutton, England, said he posted the fix on the BugTraq mailing list on Wednesday after warning Oracle about the dangers the vulnerability posed.

Oracle was notified of the workaround before it was released, but has found it "inadequate," said Duncan Harris, Oracle's senior director of security assurance. It will break a large number of E-Business Suite applications, he said.

"We know it will break a number of Oracle products higher in the stack than the Oracle Application Server that the vulnerability exists in," Harris said.

Oracle has issued several patches for the vulnerability over past four years, none of which worked, Litchfield said Friday.

The vulnerability affects Oracle Application Server, Oracle Internet Applications Server and Oracle HTTP Server. The vulnerability lies with the PLSQL gateway, a bit of code that allow Web-based users to interact with PLSQL applications in the backend database server, Litchfield said. The gateway passes a user request to the backend database server and executes there, he said.

"Someone can come in off the Internet over the Web without a user ID or password and interact with the backend database server, so it goes through all the firewalls," Litchfield said. "This is critical."

The fix is "trivial" and he doesn't understand why a patch was not included in Oracle's Critical Patch Update last week. When a fix wasn't issued, Litchfield said he thought "well, you know I'll do it then. Christ, it's not difficult."

But Harris contested that assumption. "Compared to some others, this one is extremely difficult to fix and test it thoroughly," he said.

Oracle prioritises vulnerabilities as far as patching, Harris said. So far, no exploit code has been released. If exploit code is released, Oracle could push out a quick one-time emergency patch, Harris said. The next patching round is scheduled for April, and whether this vulnerability is fixed will depend on if there are other more pressing ones, he said.

Nonetheless, Harris assailed Litchfield's action.

"By just revealing what he has in this workaround, it definitely is a very strong starting point for any malicious hacker...to try and understand the vulnerability and produce an exploit," Harris said. "Yes, we are clearly disappointed that he felt the need to say anything about this vulnerability before we had a patch available."

Litchfield said he didn't reveal specific details of the vulnerability on BugTraq. Oracle lags other software vendors in fixing bugs, he said. "They are well behind the curve at the moment."

Earlier this week, Gartner analyst Rich Mogull wrote that Oracle could no longer be considered a bastion of security a few days after the company fixed 82 vulnerabilities in its products. Oracle hasn't had a mass security exploit, but more proof-of-concept code and exploit tools are circulating online, he wrote in a research note.

Responding to Gartner, Oracle said in an e-mail statement to IDG News Service that it started a quarterly patch update program and is using code scanning analysis software from Fortify Software Inc. to increase the quality of code. Oracle licensed the code scanning tools for its Server Technologies group, which handles development of its database, application server, identity management and collaboration suite software.

"We are continually evaluating our security development processes, as well as looking at ways to further strengthen our overall product security," the statement said.