Oracle CPU January 2012: Patch your DBs NOW!

The Oracle (NASDAQ:ORCL) critical patch update (CPU) for January 2012 includes just two fixes for the eponymous database. But at least one is a real doozy, it seems. In IT Blogwatch, bloggers wonder where the patches are for all the other critical bugs.
 
Your humble blogwatcher (@richi ) curated these bloggy bits for your entertainment. Not to mention: a heartwarming tale of brotherly support...
 
 
Gregg Keizer reports:

Alex Rothacker, director of security research [for] TeamShatter..said that Oracle has "thrown in the towel on fixing database vulnerabilities." .. Oracle..said it would patch 78 vulnerabilities altogether..only two in its Oracle Database products.
..
Rothacker cited nine bugs..reported to Oracle..which have not yet been patched, as evidence that [it] contains vulnerabilities. .. Two or three of the nine..are serious enough that [TeamShatter] rank them as high risks, and think should have been patched by now. .. [He] believes there's a correlation between the drop in database patches and Oracle's acquisition of Sun..in January 2010.   

Fahmida Y. Rashid adds:

"Either the database server has reached an amazing maturity..or Oracle did not have enough resources to include more fixes," [said] Amichai Shulman, CTO of Imperva, [and that] there appears to be a "bottleneck" in Oracle's patching process.   

Sean Gallagher outlines the two patched Oracle database defects:

The vulnerability in Oracle Database..is in the database's listener program which..has been the source of a number of vulnerabilities, dating back at least ten years.
..
There's also a fix for a vulnerability in the core DBMS..of a less critical nature that is not exploitable without authentication—but "has a significant non-security component."   

   
And Paul Venezia has his own bug report:

[T]his particular collection of Oracle issues could incur database outages that take considerable time and effort to correct. .. After we notified Oracle of our discoveries..the company requested that we hold this story until it had time to develop and test patches. .. Those patches are available..as part of the Oracle Critical Patch Update for January 2012.
..
At the core of the issue is the System Change Number (SCN)..the key to maintaining data consistency. .. a bad actor could..cause a systemwide Oracle database communications failure, a shutdown, or a crash.
..
These patches are being released for only the more recent versions of the database. .. Given the sheer number of Oracle installations older than 11.2.0.2.0 and 10.1.0.5, a large installed base will remain vulnerable.   

So what's Julie Bort's reaction? "Yikes!":

The flaw had to do with time stamp technology that..is the key to keeping data synchronized and safe. .. This is one of those critical systems that was difficult to fix and affected a long list of Oracle's products.
..
[Venezia] contends that Oracle executives knew about [it]..downplayed it [and] issued a workaround fix that could have caused customers even more headaches.   

Meanwhile Dennis Fisher is highly critical of Oracle:

While Microsoft has really made huge strides in making SQL Server secure, Oracle is still lagging far behind. Lip service in blog posts is no replacement for actually turning your engineering culture around.   

  
And Finally...
Dear Customer who stuck up for his little brother...
[hat tip: Chris Lackey]
  
 
Don't miss out on IT Blogwatch:

• Follow @richi, your humble blogwatcher, on Twitter
  
• Subscribe to the Computerworld Blogs newsletter
• Catch up with posts from the previous few days

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: itbw@richij.com. You can also read Richi's full profile and disclosure of his industry affiliations.