Network security expert Richard Bejtlich recently posted some interesting comments regarding Oracle Security on his blog TaoSecurity.


I think his observation at a macro level is generally correct.  Oracle seems to have arrived at the "secure coding" party late and has a significant C code base, some of which dates all the way back to around 1982.  Many of the standard PL/SQL packages and associated C libraries were originally written in the early 1990's.  A fun excursion is to look at the modification history of the $ORACLE_HOME/rdbms/admin SQL scripts -- you will see many of these scripts were created 10 to 20 years ago.  Remember that the terms "buffer overflow" and "SQL injection" didn't really enter the lexicon until 1996 and 2000, respectively.

To judge Oracle on secure coding, you really need to look at the number of vulnerabilities affecting only recent versions of the database and application server.  So far, the results are mixed, but encouraging.  Although, more time has to elapse to see what security bugs are in the queue. 

Mary Ann Davidson, Oracle CSO, frequently talks about secure coding and how vendors should be more public about their development practices.  I would really like to know what Oracle is doing about the large database code base where over 150 security bugs have been fixed to date.  Oracle has purchased Fortify as a source code scanning tool, but is there a team of 20 or 100 people dedicated to reviewing every line of code.  Many of the security bugs being found today could have been found internally 3 or 4 years ago.

Oracle has released the latest ATG rollup RUP5 (official name is 11i.ATG_PF.H.delta.5).  From a security perspective, RUP5 is important in three regards -

1. The ATG rollups contain a number of security enhancements
2. RUP5 incorporates ATG CPU patches from January 2005 to January 2007
3. Starting with the July 2007 CPU, only RUP(n) and RUP(n-1) will be supported

RUP5 Security Enhancements

The recent ATG rollup patches have included a number of security enhancements.  The following are some of the security enhancements in RUP5 -

• WebADI Parameter Security

• Improved delegation of Workflow monitoring privileges
• Improved delegation of access to Workflow notifications

Included CPU Patches

The RUP patches include previous CPU patches and RUP5 includes almost all ATG CPU patches from January 2005 to January 2007.  THIS IS ONLY ATG PATCHES and not functional module patches.  "The following core ATG products are included in 11i.ATG_PF.H.delta.5: FND, OAM, OWF, FWK, JTT, JTA, TXK, XDO, ECX, EC, AK, ALR, UMX, BNE, and FRM."  For AutoConfig enabled customers, the only missing ATG CPU patch is 5658489, which is the cumulative TechStack patch for January 2007.

RUP5 Security Enhancements

"Beginning with the July 2007 Critical Patch Update (CPUJul2007), Oracle Applications Technology will support only the current and previous production rollups (RUP N and RUP N-1) as patching baselines for all 11i releases."  Based on Oracle's policy and prior CPU support history, we anticipate only RUP4 and RUP5 will be supported for the July 2007 CPU.  This includes all Oracle Applications 11i versions from 11.5.7 through 11.5.10.2, where April 2007 CPU and prior only included 11.5.10.x.

With RUP4 being released in August 2006 and RUP3 in January 2006, we believe there is a 50% probability that Oracle will support RUP3 in the July 2007 CPU.  Although, we believe there is no likelihood that RUP3 will be supported for the October 2007 CPU.  Oracle's decision on RUP3 support will be based on customer feedback, rather than any technical issues or significant regression testing effort to certify the CPU patches for RUP3.