Oracle security is a funny thing. Take this alert from red-database for example:

By specifing a special value for the parameter desname Oracle Reports can overwrite any file on the application server.

[…]

History

12-aug-2003 Oracle secalert was informed
26-sep-2003 Bug confirmed
15-apr-2005 Red-Database-Security informed Oracle secalert that this vulnerability will publish after CPU July 2005
Red-Database-Security offered Oracle more time if it is not possible to provide a fix ==> NO FEEDBACK.
12-jul-2005 Oracle published CPU July 2005 without fixing this issue
18-jul-2005 Red-Database-Security published this advisory
21-jul-2005 Cert VU# and affected products added
25-aug-2005 CVE number added
16-sep-2005 Workaround was incomplete and is now correct (Thanks to D. Nachbar for this information)
13-jan-2005 days since initial report updated
17-jan-2006 Oracle published the Critical Patch Update January 2006 (CPU January 2006)
19-jan-2006 Oracle Vuln# REP06

Note the almost three years between first notice and critical patch.

I ran into a problem recently, similar to this, which led to a conversation with an Oracle DBA about vulnerabilities. I am not exaggerating when I say I was asked “What is SSL?” and “How do I know if the system can access the Internet?” No, really.

Insecure products, combined with a lack of security awareness among their minions, makes Oracle a real liability for many companies. The cost of fixing their software must be a lot to bear. On the other hand they seem to have the money to cut a 10-year deal with a sports stadium and co-sponsor a boat (team Oracle-BMW) in the America’s Cup. Here’s my favorite part to these high profile marketing stories:

The Oracle is the premier entertainment venue in Northern California…

With all the vulnerabilities I keep finding, I couldn’t agree more. Entertaining, but sad too.