Image
Image
Unfortunately for users, Oracle doesn't make it very clear that Oracle Database XE comes without any support at all, including upgrades (other than major editions, such as 10g Express to 11g Express, released nearly 6 years apart) or patches, no matter how severe the vulnerability.
It is stated in their license agreement – if anyone still reads those – but it’s easy to understand how users might assume that Oracle wouldn't leave them completely vulnerable with a statement like:
"Our technical support organization will not provide technical support, phone support, or updates to you for the programs licensed under this agreement."Of course, one should never assume when it comes to license agreements. The current version of Oracle Database 11g XE is based on Oracle Database 11.2, and was released in September 2011. Even with the best-case scenario that it was fully patched at the time of release, users of the XE database are currently exposed to three and a half years of publicly disclosed vulnerabilities. Oracle has to-date released 15 Critical Patch Updates for Oracle Database 11.2 covering 88 vulnerabilities, and while not all components of Oracle Database 11.2 exist in Oracle Database XE, even after removing the vulnerabilities that affect components not included in XE, more than half of the vulnerabilities remain. Given this, it’s hard to see a legitimate use case for Oracle Database XE, especially when the paid versions of Oracle Database can also be used unpatched for free “for the purpose of developing, testing, prototyping and demonstrating.” The only ‘advantage’ that the free version has is that you can “deploy, and distribute” it as well. However, given the security risks, you should certainly think twice before doing so. In the case of Oracle Database XE, it seems that all free really means is "very vulnerable." Oracle Database Express 11g Vulnerabilities:
| CVE-2015-0455 | XDB - XML Database |
| CVE-2015-0483 | Core RDBMS |
| CVE-2015-0479 | XDK and XDB - XML Database |
| CVE-2014-6567 | Core RDBMS |
| CVE-2014-6577 | XML Developer's Kit for C |
| CVE-2015-0371 | Core RDBMS |
| CVE-2014-6514 | PL/SQL |
| CVE-2015-0370 | Core RDBMS |
| CVE-2014-6544 | JDBC |
| CVE-2014-4289 | JDBC |
| CVE-2014-2478 | Core RDBMS |
| CVE-2014-4236 | RDBMS Core |
| CVE-2014-4237 | RDBMS Core |
| CVE-2014-4245 | RDBMS Core |
| CVE-2014-2406 | Core RDBMS |
| CVE-2014-2408 | Core RDBMS |
| CVE-2013-5853 | Core RDBMS |
| CVE-2014-0377 | Core RDBMS |
| CVE-2013-5858 | Core RDBMS |
| CVE-2013-5764 | Core RDBMS |
| CVE-2013-3826 | Core RDBMS |
| CVE-2013-3751 | XML Parser |
| CVE-2013-3774 | Network Layer |
| CVE-2013-3760 | Oracle executable |
| CVE-2013-3771 | Oracle executable |
| CVE-2013-3789 | Core RDBMS |
| CVE-2013-3790 | Core RDBMS |
| CVE-2013-1554 | Network Layer |
| CVE-2013-1538 | Network Layer |
| CVE-2012-3137 | Core RDBMS |
| CVE-2012-1751 | Core RDBMS |
| CVE-2012-3132 | Core RDBMS |
| CVE-2012-3151 | Core RDBMS |
| CVE-2012-3146 | Core RDBMS |
| CVE-2012-1745 | Network Layer |
| CVE-2012-1746 | Network Layer |
| CVE-2012-1747 | Network Layer |
| CVE-2012-3134 | Core RDBMS |
| CVE-2012-0519 | Core RDBMS |
| CVE-2012-0534 | RDBMS Core |
| CVE-2012-0082 | Core RDBMS |
| CVE-2012-0072 | Listener |
| CVE-2011-2301 | Oracle Text |
| CVE-2011-3512 | Core RDBMS |
| CVE-2014-6578 | Workspace Manager |
| CVE-2014-6541 | Recovery |
| CVE-2011-3389 | Oracle Security Service |
| CVE-2013-0169 | Oracle Security Service |
| Java VM |
| OJVM |
| JPublisher |
| SQLJ |
| Spatial |
| Workload Manager |
| Enterprise Manager |
| Database Vault |
