Flaws Show Need to Update Oracle Product Management Practices



  Free preview of Gartner research


A new set of critical vulnerabilities shows that Oracle can no longer be considered a bastion of security. Database and application managers must begin protecting and maintaining Oracle systems more aggressively.

News Analysis


On 17 January 2006, Oracle released its latest Critical Patch Update (CPU), which includes patches for 82 vulnerabilities across multiple product lines, including: all currently supported Oracle databases; Oracle Application Server; Oracle Enterprise Manager; Oracle Collaboration Suite; Oracle E-Business Suite; PeopleSoft applications; and JD Edwards applications. Oracle has made information on related security issues and practices available at:


Gartner supports the quarterly CPU program, which enables system administrators to plan and schedule Oracle maintenance. However, the range and seriousness of the vulnerabilities patched in this update cause us great concern. The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur.

Many Oracle administrators rely on a combination of the company's historically strong security and the fact that Oracle applications and databases are typically located deep within the enterprise, and so neglect to patch their systems regularly. Moreover, patching is sometimes impossible, due to ties to legacy versions that Oracle no longer supports. These practices are no longer acceptable, because:

  • Critical Oracle vulnerabilities are being discovered and disclosed at an increasing rate, and exploit tools and proof-of-concept code are appearing more regularly on the Internet.

  • Oracle provides only very limited information about vulnerabilities — far less than is industry-standard — making it difficult for enterprises to evaluate the risk. The company sometimes patches internally discovered vulnerabilities without releasing details.

  • The quality and ease of use of Oracle patches still require improvement, because of reported installation and stability problems.

  • Oracle does not describe manual "workarounds," because they typically do not work across the entire stack of Oracle products. This practice makes it difficult for managers of Oracle systems to make informed risk decisions.

Recommendations for enterprises using Oracle databases and applications

1. Move immediately to shield these systems as well as possible, using firewalls, intrusion prevention systems and other technologies. Develop a shielding schedule that coincides with Oracle CPU release dates.

2. Apply the available patches as rapidly as possible, because incomplete information from Oracle will necessarily make shielding incomplete.

3. Use alternative security tools, such as activity-monitoring technologies, to detect unusual activity.

4. Pressure Oracle to change its security management practices.

Analytical Source: Rich Mogull, Gartner Research

Recommended Reading and Related Research

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)

© 2006 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartners research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

Not a Gartner Client?

Want more research like this?
Learn the benefits of becoming a Gartner client.

Contact us online



Why Gartner

Gartner delivers the technology-related insight you need to make the right decisions, every day.

Find out more