The Week of Oracle Database Bugs

← Back to Stories (view on slashdot.org)

The Week of Oracle Database Bugs

Posted by ryuzaki0 on Tuesday November 21, 2006 @06:38AM from the your-turn dept.

os2man writes "After the Month of Browser Bugs and the Month of Kernel Bugs, December will have a Week of Oracle Database Bugs. This project will release, every day for a week, a new 0-day bug specific to Oracle in order to show the current status of its [in]security. They are currently asking for new bugs, in order to extend the publication of new exploits a few more days."

20 of 56 comments (clear)

Min score:

Reason:

Sort:

Great by Spritzer · 2006-11-21 06:39 · Score: 4, Interesting

Maybe they should look at security issues with Oracle's Discoverer client as well. It's pretty sad when having "@" in your password will compromise every character that follows within your password. For example, if ODB password were Sl@shd0t! and the database to connect to were BOB, at the next login the Connect field would be filled with shd0t!@BOB. Not a huge issue, but certainly a risk if multiple people with varying permissions/responsibilities in Oracle have access to a machine with Discoverer.
um yeah by stoolpigeon · 2006-11-21 06:41 · Score: 5, Insightful

without even commenting on the quality of oracle's rdbms, this statement:
Why not the Month of Oracle Database Bugs?
We could do the Year of Oracle Database Bugs but we think a week is enough to show how flawed Oracle software is, also we don't want to give away all our 0days:), anyways if you want to contribute send your Oracle 0days so this can be extended for another week or more.

doesn't even make sense. They have enough to do a whole year but ask for people to send in more to extend it to a second week? Because they don't want to compromise their entire zero day horde? Sorry but I just can't take these people too seriously.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
1. Re:um yeah by ajs · 2006-11-21 06:56 · Score: 3, Interesting
  
  It does make sense, but it's just not very smart.
  
  This is a group of (or singular) kiddies who want to make Oracle look bad. That's fine, and Oracle is a big company that I'm sure can take care of itself (C&D paperwork is probably burning out toner cartriges by the gross at Oracle HQ as we speak). My concern is that folks that are good at security testing, but too young to know how to direct their efforts constructively are going to destroy their fledgling careers before they get started. Many such bright kids these days assume that they'll make a name for themselves, and then the consulting bucks will roll in. Problem is that the wrong kind of press can lead to SOME work, but far less than you would have gotten by building a reputation in the industry through the quality of your work and references.
  
  As with security, in the job/consulting world social engineering is often a better approach than trying to pick the lock on the front-door.
2. Re:um yeah by djbckr · 2006-11-21 07:06 · Score: 3, Insightful
  
  I was going to mod this up, but I thought I'd post instead. Oracle database work is my livelyhood. Oracle makes no qualms about the number of bugs they have. Many of them are posted for all to see on their MetaLink support site. Many of them are not public for security reasons - and well they should be.
  
  I've found several Oracle bugs in my dealings with the software. I create a reproduceable test-case and send it to them. They always respond with 1) this is a known bug, and it's bug #nnn; or 2) bug reproduced in lab on version n.n.n - filed as bug #nnn
  
  If I found a bug related to security, I am *certain* they would do the same, and not publish it. It would be foolish to do so. Why oh why do people like this need to publish security related bugs so everyone can get comprimised? It's simply irresponsible.
  
  Oracle software is a *huge* moving target, and to fix a bug in something used by so many is a long, involved process. Break something critical in a patch and watch all hell break loose. Let the bug fixers do their jobs. It takes time, and exposing flaws like this does nobody any good.
3. Re:um yeah by Psychotext · 2006-11-21 07:11 · Score: 3, Insightful
  
  I think realistically a lot of this can be traced back to the "Unbreakable" marketing campaign. They set themselves up for a major fall. That said, Oracle takes far too long to patch vulnerabilities and worrying about "breaking something critical" is not a good excuse.
  
  --
  People that believe in their opinions don't post AC.
4. Re:um yeah by djbckr · 2006-11-21 07:28 · Score: 2, Insightful
  
  "worrying about "breaking something critical" is not a good excuse"
  
  Tell me, if your data was tied up in an [Oracle] database (and really, any database could be replaced between the [] for this question) and that data was key to your business processes - now we're talking about multi-billion $$$ corporations whose data is their livelyhood - and Oracle were to release a patch and all of a sudden their data started corrupting or simply stopped working. You don't call that a good excuse???
  
  Sorry, that doesn't fly with me - I would call *that* ridiculous.
5. Re:um yeah by mrsbrisby · 2006-11-21 08:06 · Score: 2, Insightful
  
  Many of them are not public for security reasons - and well they should be.
  Sir, I have a car to sell you. There have been a number of customers killed in it, but I will not tell you why, until I get around to fixing the problem.
  
  If I found a bug related to security, I am *certain* they would do the same, and not publish it. It would be foolish to do so. Why oh why do people like this need to publish security related bugs so everyone can get comprimised? It's simply irresponsible.
  No, it's not. If I have an Oracle database with a security vulnerability in it, I might be immune- my firewall might protect me, or I might not have users accessing it in a way that makes me vulnerable.
  
  If I am vulnerable, exactly what can the attacker accomplish? I might want to shut down my database. If it happens too frequently, I may want a refund.
  
  Whatever I do, it's my decision, and not Oracles. The bugs are their because of their sloppiness. If I know about them, then I can protect myself. If I don't know about them, then I cannot protect myself. It's as simple as that.
  
  So do understand sir, you are asking me to trust them. Not just a little bit either, but potentially with the livelyhood of my company. Where exactly do you think these vulnerabilities come from, and who exactly do you think "discovers" them, and most importantly, why is it you think keeping information about these vulnerabilities secret from me (the customer) is a good thing?
  
  Tell me exactly sir, how is my request "irresponsible"?
0-day by Schraegstrichpunkt · 2006-11-21 06:48 · Score: 4, Funny

That word. I do not think it means what you think it means.

--
http://outcampaign.org/
Bug vs. Exploit... by msimm · 2006-11-21 06:55 · Score: 2, Interesting

They are talking about two different things. Its one thing to say: hey, I'm a DBA and Oracle has a lot of bugs. Its another to say: hey hackers! There are a whole bunch of unpatched 0day exploits.

Extending the week to two would be fine if it helps motivate Oracle to patch their software *before* someone makes these more trivially exploitable.

--
Quack, quack.
1. Re:Bug vs. Exploit... by stoolpigeon · 2006-11-21 07:01 · Score: 2, Insightful
  
  but why do they need help to extend it a week if they have enough to last a year?
  
  --
  It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Oracle is unbreakable by duffbeer703 · 2006-11-21 07:00 · Score: 3, Funny

Mess with Oracle, and this guy will mess with you.

--
Conformity is the jailer of freedom and enemy of growth. -JFK
Next by Anonymous Coward · 2006-11-21 07:09 · Score: 5, Funny

I presume that will be followed by 2007, "The Year of Windows Vista Bugs"?
1. Re:Next by Bacon+Bits · 2006-11-21 07:32 · Score: 3, Funny
  
  I thought this was already "The Decade of Microsoft Windows Bugs"?
  
  --
  The road to tyranny has always been paved with claims of necessity.
No sure what is being achieved here by Utopia · 2006-11-21 07:21 · Score: 2, Insightful

by exposing 0-day bugs other than helping bad hackers but I would love to see someone poke holes in MS SQL server.

Its been 1 year with no known exploits in SQL Server 2005 (zero in the product lifetime)
http://blogs.technet.com/security/archive/2006/11/ 07/sql-server-2005-1-year-and-not-yet-counting.asp x
No kidding?! by firespade · 2006-11-21 07:31 · Score: 2, Interesting

Bugs specific to security? There are still several exploits concerning the metadata itself. And on top of that, Secunia has multiple cases of vulnerabilities concerning all versions of the Oracle Database. All the way from Database Restriction Bypassing to boundary errors leading to buffer overflows by user initiated malicious attacks. Try harder Oracle.. try harder. Anthony
I feel like we are caught in a .... timeloop by msimm · 2006-11-21 08:04 · Score: 3, Insightful

They say A) they have enough bugs (erherm, not exploits) to last a year B) they also say (I won't even speculate on the quality of the comment) "we don't want to give away all our 0days".

So whatever. They had a weeks worth of exploits and they'd like some other people to pony up so they can make it two while holding on to some super-secret exploits. 7337!

Anyway, slamming on Oracle seems a little silly. Its software, there will be problems.

--
Quack, quack.
Re:why don't by mrsbrisby · 2006-11-21 08:10 · Score: 2, Funny

Why don't Larry ellison imdemnify people against lost revenue because of bugs in Oracle?
To get to the other side?
Couldn't they have done this a year ago? by emil · 2006-11-21 08:29 · Score: 2, Interesting

The final CPU for the 8.1.7.4 database release comes out in January. It's highly unlikely that anything revealed in this effort will be fixed for 8.1.7.4.

That's an important release... it's the last one (that's supported) that will talk to Oracle 7 or early v8 databases (as a client). My company has thousands of win32 clients rolled out, and a fair number of servers supporting some critical apps (think Peoplesoft).

8.1.7.4 was a great release. Small, not a lot of cruft. I wish it (and we) weren't hanging in the breeze. DB2 customers are lucky for their long support.
Discovered in our DB class by Tawnos · 2006-11-21 09:34 · Score: 3, Interesting

Not necessarily a security bug, but it can be annoying. This comes from the project description, as a warning when trying to do natural joins for the project.
This query:

select ordid, lineno, orderdate
, descrip "Description"
, total
from ord natural join item natural join product

is evaluated incorrectly in Oracle 10g (rel. 10.2.0.1).

Compare its output with the correct results generated by this query:

select ordid, lineno, orderdate
, descrip "Description"
, total
from item natural join product natural join ord

or this:

select ordid, lineno, orderdate
, descrip "Description"
, total
from ord natural join (item natural join product)

or this:

select ordid, lineno, orderdate
, prodid
, descrip "Description"
, total
from ord natural join item natural join product

This solution:

select ordid, lineno, orderdate
, descrip "Description"
, total
from (ord natural join item) natural join product

does not work either. The optimizer insists on doing a cartesian product between ORD and PRODUCT.

This is a new bug. It does not exist in Oracle 9i, which evaluates all queries correctly.
Check the Copyright - We Missed It... by Guido69 · 2006-11-21 15:52 · Score: 2

"© Copyright 2004 Argeniss. All Rights Reserved."

Must have been for 7i. Bet the response from Oracle will be something along the line of upgrade to 10g.

--
- If we aren't supposed to eat animals, then why are they made out of meat? - Steven Wright