<<< Date Index >>>     <<< Thread Index >>>

Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers



http://www.red-database-security.com/advisory/published_alerts.html

19-jul-2005 - Advisory: Various Cross-Site-Scripting Vulnerabilities in Oracle Report - [Various CSS in Oracle Reports] (Not fixed after 700+ days) 19-jul-2005 - Advisory: Read parts of any XML-file on the application server via Oracle Report - [Read parts of any XML file via Oracle Reports](Not fixed after 700+days) 19-jul-2005 - Advisory: Read parts of any file on the application server via Oracle Report - [Read parts of any file via Oracle Reports] (Not fixed after 700+days) 19-jul-2005 - Advisory: Overwrite any file on the application server via Oracle Report - [Overwrite files via Oracle Reports] (Not fixed after 700+ days) 19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Report from any directory- [Run any OS command via Oracle Reports] (Not fixed after 700+ days) 19-jul-2005 - Advisory: Run any OS Command via uploaded Oracle Forms from any directory- [Run any OS command via Oracle Forms] (Not fixed after 700+ days)

Plus the last few crops of items that Oracle addressed containing items not fixed for almost 2 years, plus the fact that their security patches often fail to apply properly, plus the fact that their security patches now appear to sometimes not address the problem properly if at all, plus the fact that Oracle touts security, ran a nice big unbreakable campaign, etc, etc.

There's a ton of anecdotal evidence. There's a ton of security advisories with notification to release times measured in years (this actually seems to be quite normal). What more do you need? I look at open source vendors and projects, they have become amazingly responsive (major Linux kernel issues addressed in <1 month as a rule, often in days or a week), and even the closed sourced vendors that formerly were problematic have gotten better in general (Microsoft is a good example of improvement, pity they have to maintain scuh complete backwards compatibility though or I suspect we'd see much more improvement).

In the last 7 or so years I haven't seen much in the way of improvement from Oracle, security-wise.

-Kurt Seifried
http://seifried.org/freescan2/