Application Security, Inc.'s TeamSHATTER Discovers Seven Database Vulnerabilities In April 2012 Oracle Critical Patch Update

NEW YORK--(BUSINESS WIRE)--

Application Security, Inc. (AppSecInc), the leading provider of database security solutions for the enterprise, today announced that TeamSHATTER's Technical Lead for Security Research, Esteban Martinez Fayo, has been credited by Oracle for discovering and reporting seven out of the twelve database-related vulnerabilities disclosed in the April 2012 Oracle Critical Patch Update (CPU). TeamSHATTER researchers have been credited for reporting vulnerabilities in 27 of the 30 Oracle CPUs since the program's inception in 2005.

The April 2012 CPU contains a total of 88 security vulnerability fixes cross multiple Oracle products, twelve of which are specific to database products. Six patches were issued for the Oracle Database Server and six for the Oracle Enterprise Manager Grid Control. TeamSHATTER was responsible for discovering seven of the twelve, including three for the Oracle Database Server and four for the Oracle Enterprise Manager Grid Control product. An analysis and recommended call-to-action for each of the database vulnerabilities is available here: https://www.teamshatter.com/?p=3406

“Just when we thought Oracle threw in the towel on fixing database vulnerabilities, they follow-up their record low database-related fixes from the last CPU in January with a dozen fixes in the April 2012 CPU,” said Alex Rothacker, Director of Security Research, AppSecInc's TeamSHATTER. “While we hope that this is an indication of Oracle's renewed focus on database security improvements, we are quite disappointed that it took them over two and a half years to fix a high risk vulnerability that we reported to them in October 2009. It is just not acceptable to leave users at risk for that long.”

Rothacker continues, “In reviewing this CPU, another tremendous concern I have is that 33 of the 88 vulnerabilities fixed were remotely exploitable without authentication, which means that anybody on the network can exploit these. That is a massive amount of flaws of this nature to have across the Oracle product line. Hopefully that is not a trend that we continue to see more of in future CPU cycles.”

The TeamSHATTER vulnerability knowledgebase is the largest and most up-to-date offering of its kind. By identifying and remediating critical database vulnerabilities, TeamSHATTER helps to ensure that AppSecInc customer data is safe from internal and external threats.

AppSecInc supports every Oracle CPU by updating its market-leading solutions, AppDetectivePro for auditors and IT advisors and DbProtect for the enterprise with the appropriate scanning checks and monitoring filters through its monthly ASAP Update™ (Application Security Automatic Protection) process. DbProtect updates will include monitoring filters for the new security vulnerabilities, enabling customers to protect sensitive information during the deployment of new patches across their database infrastructure.

About TeamSHATTER

TeamSHATTER, the research arm of Application Security, Inc., is the largest dedicated database security, vulnerability and misconfiguration research team in the world. TeamSHATTER maintains the most comprehensive knowledgebase of database vulnerability and misconfiguration checks in the industry and understands how to make security an integral part of an enterprise's database security and network management infrastructure. TeamSHATTER regularly publishes security advisories, technical papers and research information on www.TeamSHATTER.com.

About Application Security, Inc.

AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions – AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise – AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers.

Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance.

For more information, please visit: www.appsecinc.com | www.teamshatter.com

For a free database vulnerability assessment visit: http://www.appsecinc.com/downloads/appdetectivepro/

Follow us on Twitter: www.twitter.com/appsecinc | www.twitter.com/teamshatter

DbProtect and AppDetectivePro are trademarks of Application Security, Inc. All other product names, service marks, and trademarks mentioned herein are trademarks of their respective owners.