Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

From: Kurt Seifried (bt_at_seifried.org)
Date: 10/08/05

  • Next message: Mandriva Security Team: "MDKSA-2005:177 - Updated hylafax packages fix temporary file vulnerability"
    To: "David Litchfield" <davidl@ngssoftware.com>, "Gadi Evron" <ge@linuxbox.org>
    Date: Fri, 7 Oct 2005 16:50:22 -0600
    
    

    http://www.red-database-security.com/advisory/published_alerts.html

     19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in
    Oracle Report - [Various CSS in Oracle Reports] (Not fixed after 700+ days)
    19-jul-2005 - Advisory: Read parts of any XML-file on the application server
    via Oracle Report - [Read parts of any XML file via Oracle Reports](Not
    fixed after 700+days)
    19-jul-2005 - Advisory: Read parts of any file on the application server via
    Oracle Report - [Read parts of any file via Oracle Reports] (Not fixed after
    700+days)
    19-jul-2005 - Advisory: Overwrite any file on the application server via
    Oracle Report - [Overwrite files via Oracle Reports] (Not fixed after 700+
    days)
    19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from
    any directory- [Run any OS command via Oracle Reports] (Not fixed after 700+
    days)
    19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from
    any directory- [Run any OS command via Oracle Forms] (Not fixed after 700+
    days)

    Plus the last few crops of items that Oracle addressed containing items not
    fixed for almost 2 years, plus the fact that their security patches often
    fail to apply properly, plus the fact that their security patches now appear
    to sometimes not address the problem properly if at all, plus the fact that
    Oracle touts security, ran a nice big unbreakable campaign, etc, etc.

    There's a ton of anecdotal evidence. There's a ton of security advisories
    with notification to release times measured in years (this actually seems to
    be quite normal). What more do you need? I look at open source vendors and
    projects, they have become amazingly responsive (major Linux kernel issues
    addressed in <1 month as a rule, often in days or a week), and even the
    closed sourced vendors that formerly were problematic have gotten better in
    general (Microsoft is a good example of improvement, pity they have to
    maintain scuh complete backwards compatibility though or I suspect we'd see
    much more improvement).

    In the last 7 or so years I haven't seen much in the way of improvement from
    Oracle, security-wise.

    -Kurt Seifried
    http://seifried.org/freescan2/


  • Next message: Mandriva Security Team: "MDKSA-2005:177 - Updated hylafax packages fix temporary file vulnerability"

    Relevant Pages