Oracle's refusal to get specific about the vulnerabilities addressed by a recent patch increase the risk to customers, a pair of Gartner analysts has alleged.
Gartner's Neil MacDonald and Rich Mogull said that Oracle has declined to provide more detailed information about the vulnerabilities that spawned a patch first released in August, then re-released in October.
Although keeping mum is Oracle's standard policy, the analysts took the company to task for failing to spell out the consequences of not applying the patch, and more importantly, whether the vulnerabilities affected older, non-supported versions of Oracle's Database Server, Application Server, and Enterprise Manager.
"At worst, [this means] records in every Oracle database you own could be vulnerable," the pair wrote in an online alert posted to the Gartner website.
It may be smart to not provide hackers information that could be used to craft exploits, but that "differs from offering information about the implications of not protecting yourself against that exploit," the guys from Gartner wrote.
"System administrators don't have enough information to decide which servers to prioritise or which data is most vulnerable."
And if Oracle offered more detail about the vulnerability, customers might be able to set up defences, such as deep-packet inspection firewalls, intrusion prevention systems, and application firewalls to protect themselves against attacks, they added.
MacDonald and Mogull recommended that enterprises using the Oracle products apply the patches to supported versions. If older editions are in use, such as 7.x or 8.0x, they advised companies to either upgrade immediately or switch to a rival database.
They also urged Oracle customers to put pressure on the database giant.
"Ask Oracle to follow Microsoft and other leaders that disclose the details of their vulnerabilities and provide security patches freely to anyone on any supported version of their products," they recommended.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
