Application Security, Inc.'s TeamSHATTER Reports 50% of Database Vulnerabilities in January 2011 Oracle Critical Patch Update

Unpatched databases are vulnerable to complete takeover of the database

Application Security, Inc. (AppSec), the leading provider of database security, risk and compliance solutions (SRC) for the enterprise, today announced that TeamSHATTER researchers, Esteban Martinez Fayo and Martin Rakhmanov have been credited by Oracle for reporting three of the six database vulnerabilities in the January Oracle Critical Patch Update (CPU).

The latest CPU contains 66 security vulnerability fixes across multiple Oracle products, six of which are specific to the Oracle database. Out of the six Oracle database server vulnerabilities, one has been assigned a CVSS (Common Vulnerability Scoring System) score of 10 out of 10 - representing the highest possible risk. The second vulnerability was assigned a score of 7.5 out of 10 representing significant risk. In addition, two of the database vulnerabilities may be remotely exploitable without authentication.

AppSec supports every Oracle CPU by updating its market-leading solutions, AppDetectivePro for auditors and IT advisors and DbProtect for the enterprise with the appropriate scanning checks and monitoring filters through its monthly ASAP Update™ (Application Security Automatic Protection) process. DbProtect updates will include monitoring filters for the new security vulnerabilities, enabling customers to protect sensitive information during the deployment of new patches across their database infrastructure.

AppSec's TeamSHATTER has been providing its customers and database vendors with the most up-to-date database vulnerability information to ensure the security of information stored in databases.

In this CPU, Esteban Martinez Fayo of Team SHATTER was credited for reporting two database vulnerabilities: CVE-2010-4420 and CVE-2010-4421 both in the 'Database Vault' component, an Oracle security add-on. In addition, Martin Rakhmanov has identified the vulnerability CVE-2010-4423 which is in the 'Cluster Verify Utility' component and only affects Oracle on Microsoft Windows. This vulnerability allows for complete takeover of the database server and host during installation, setup modification or upgrade of Oracle.

"Three of the vulnerabilities in this CPU are directly related to Oracle Database Vault and Oracle Audit Vault, said Alex Rothacker, Director of Security for AppSec's TeamSHATTER. "These services are supposed to enhance security. It is very disconcerting that rather than reducing risk, these three vulnerabilities actually introduce significant risk, and in one case allows for a remote, full, and unauthenticated takeover of the system.

TeamSHATTER's researchers have been credited for reporting vulnerabilities in 14 out of the last 15 quarters. The TeamSHATTER vulnerability knowledgebase is the largest and most up-to-date offering of its kind. By identifying and remediating critical database vulnerabilities TeamSHATTER ensures that AppSec customers' data is safe from internal and external threats.

AppSec's TeamSHATTER has identified the following vulnerabilities as high risk:

• CVE-2010-4449: a full CVSS 10 vulnerability (complete takeover of the database and host) in Audit Vault
• CVE-2010-3600: This vulnerability allows full unauthenticated compromise of the database server, but not the host. This vulnerability should be ranked at a CVSS 10, but Oracle has used its partial+ rating to only give it a 7.5

According to Team SHATTER's Alex Rothacker, "Although CVE-2010-3600 is rated by Oracle with a CVSS score of 7.5, this vulnerability is more severe than the score suggests, since it allows for complete takeover of the database management system (DBMS). In certain cases the CVSS ratings for vulnerabilities do not adequately reflect the threat to critical databases. TeamSHATTER suggests that this vulnerability should be scored as a CVSS version 10."

AppSec's TeamSHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has pioneered vulnerability assessment and prevention. The team understands how to make security an integral part of an enterprise's database security and network management infrastructure. TeamSHATTER's ongoing mission is to focus on researching and providing easy-to-use, high-quality, and effective security solutions.