Alex Rothacker with TeamSHATTER said that this is the lowest number of Database patches since the company’s quarterly critical patch update (CPU) process began.
“Oracle, what happened? Did you throw in the towel on DBMS fixes? I know it’s not because the Database is finally fixed for good and is now suddenly secure”, Rothacker quipped in a blog. He noted that TeamShatter has a list of open issues regarding Database vulnerabilities. “The conclusion to be drawn can only be that they continue to water down their resources focused on Oracle Database fixes”, he said.
Amichai Shulman, chief technology officer with Imperva, agreed with Rothacker’s assessment. “There are only two vulnerabilities in the database product. Why? Either the database server has reached an amazing maturity in terms of security or Oracle did not have enough resources to include more fixes into the process”, he wrote in a recent blog.
In an October blog post, Oracle’s software security assurance director, Eric Maurice, offered a different explanation for the slowdown in Database patches. He wrote that Oracle has “weeded out many of the vulnerabilities that were contained in the [Database Server] code base. Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced.”