Gartner slams Oracle security processes

Gartner has warned that recently uncovered critical Oracle vulnerabilities mean that the firm's software "can no longer be considered a bastion of security".

As a result the analyst firm urges Oracle database and application managers to begin protecting and maintaining Oracle systems more aggressively.

The warning comes after Oracle released its critical patch update on 17 January which included patches for 82 vulnerabilities across multiple product lines. 

These included all currently supported Oracle databases, Oracle Application Server, Enterprise Manager, Collaboration Suite, E-Business Suite, PeopleSoft applications and JD Edwards applications.

Rich Mogull, research vice president at Gartner, said that, although Oracle's quarterly patch programme enables system administrators to plan and schedule Oracle maintenance, the range and seriousness of the vulnerabilities patched in the latest update was a cause for "great concern".

"The database products alone included 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access," he said.

"Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur.

"Many Oracle administrators rely on a combination of the company's historically strong security and the fact that Oracle applications and databases are typically located deep within the enterprise, and so neglect to patch their systems regularly.

"Moreover, patching is sometimes impossible due to ties to legacy versions that Oracle no longer supports."

Mogull went on to warn that such complacency is "no longer acceptable" because critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the internet.