Oracle database flaws affect virtually all financial transactions

Oracle database flaws affect virtually all financial transactions

Summary: Security flaws discovered in Oracle's enterprise database application could in theory affect virtually all financial transactions. However, the company is playing down any potential security risks

SHARE:
TOPICS: Security
1

Oracle is keeping quiet about allegations that its ubiquitous database has at least 30 security vulnerabilities that could allow hackers to compromise the confidentiality of virtually all financial transactions.

David Litchfield, the MD of UK-based developer Next Generation Security Software, told The Wall Street Journal that he had discovered more than 30 security holes in Oracle's database that could allow hackers to compromise information stored within its records.

Oracle's relational database is used by so many enterprises, financial institutions, public organisations and e-commerce Web sites, that virtually every financial transaction that is conducted will, at some point pass through an Oracle database. 

On Tuesday, Oracle refused to speak about the alleged flaws and instead issued a statement that neither confirmed nor denied the allegations. Instead, the company claimed its product was more secure than rival databases from IBM and Microsoft.

"Oracle, of any major software vendor, offers the most widely tested security software with 18 international security evaluations, compared to one evaluation for Microsoft's database and none for IBM," the statement said.

In a statement, Oracle said that "when software security flaws are discovered, Oracle responds as quickly as possible with patches and work-arounds in order to help protect information secured by customers in Oracle-based information systems."

According to the WSJ, Litchfield found problems in the PL/SQL code, which is used by custom applications to communicate with the database. If this code is flawed, administrators may be required to modify all their applications in order to properly secure them.

James Governor, principal analyst at RedMonk, said the flaw could cause a lot of problems for database administrators as Oracle will not be able to simply issue a patch because of the nature of the problem.

"If this is going to affect PL/SQL code, there is an awful lot of home-grown PL/SQL code out there -- it's not a packaged application that Oracle can patch," said Governor.

Governor said that a significant proportion of companies use Oracle for their transactional applications and Oracle has been pitching its database as a solution to an enterprises' security problems for many years.

"Most financial transactions touch an Oracle database somewhere along the line. They have been pitching the idea that Oracle is a more secure database than other environments, and should be used as the heart of security in multiple environments," said Governor.

Governor said Litchfield's comments should be taken seriously because he has been responsible for uncovering security vulnerabilities in the past.

"Litchfield has uncovered significant vulnerabilities in other environments before and has a track record of someone that potentially we should listen to," said Governor.

ZDNet UK's Graeme Wearden contributed to this report.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Errr I though Oracle said they "Unbreakable". The first step to solving security issues is to admit you have them and put a credible programme in place to resolve them (as Microsoft has done with its Trustworthy Computing initiative). Oracle can't even get to first base and admit their products are full of holes.
    anonymous