Skip to content ↓ | Skip to navigation ↓

The best things in life may be free but in software, that statement isn’t so true. A free database based on the code of one of the most popular enterprise databases around sounds like a great deal, but it can quickly turn into a nightmare.

OracleWith data breaches becoming ever more common, storing data in an unpatched database is like playing Russian Roulette. Surprisingly, that’s exactly what anyone using Oracle Database Express Edition (Oracle Database XE) is doing, and there’s nothing they can do to stop it short of shelling out money for a paid Oracle product or migrating to a different database entirely.

Apparently, it comes as a surprise to many users of Oracle Database XE that when high-profile vulnerabilities, such as the ‘TNS Poisoning’ vulnerability (CVE 2012-1675) are announced that Oracle will not be supplying them with patches for their free product.

Unfortunately for users, Oracle doesn’t make it very clear that Oracle Database XE comes without any support at all, including upgrades (other than major editions, such as 10g Express to 11g Express, released nearly 6 years apart) or patches, no matter how severe the vulnerability.

It is stated in their license agreement – if anyone still reads those – but it’s easy to understand how users might assume that Oracle wouldn’t leave them completely vulnerable with a statement like:

“Our technical support organization will not provide technical support, phone support, or updates to you for the programs licensed under this agreement.”

Of course, one should never assume when it comes to license agreements.

The current version of Oracle Database 11g XE is based on Oracle Database 11.2, and was released in September 2011. Even with the best-case scenario that it was fully patched at the time of release, users of the XE database are currently exposed to three and a half years of publicly disclosed vulnerabilities.

Oracle has to-date released 15 Critical Patch Updates for Oracle Database 11.2 covering 88 vulnerabilities, and while not all components of Oracle Database 11.2 exist in Oracle Database XE, even after removing the vulnerabilities that affect components not included in XE, more than half of the vulnerabilities remain.

Given this, it’s hard to see a legitimate use case for Oracle Database XE, especially when the paid versions of Oracle Database can also be used unpatched for free “for the purpose of developing, testing, prototyping and demonstrating.” The only ‘advantage’ that the free version has is that you can “deploy, and distribute” it as well. However, given the security risks, you should certainly think twice before doing so.

In the case of Oracle Database XE, it seems that all free really means is “very vulnerable.”

Oracle Database Express 11g Vulnerabilities:

CVE-2015-0455 XDB – XML Database
CVE-2015-0483 Core RDBMS
CVE-2015-0479 XDK and XDB – XML Database
CVE-2014-6567 Core RDBMS
CVE-2014-6577 XML Developer’s Kit for C
CVE-2015-0371 Core RDBMS
CVE-2014-6514 PL/SQL
CVE-2015-0370 Core RDBMS
CVE-2014-6544 JDBC
CVE-2014-4289 JDBC
CVE-2014-2478 Core RDBMS
CVE-2014-4236 RDBMS Core
CVE-2014-4237 RDBMS Core
CVE-2014-4245 RDBMS Core
CVE-2014-2406 Core RDBMS
CVE-2014-2408 Core RDBMS
CVE-2013-5853 Core RDBMS
CVE-2014-0377 Core RDBMS
CVE-2013-5858 Core RDBMS
CVE-2013-5764 Core RDBMS
CVE-2013-3826 Core RDBMS
CVE-2013-3751 XML Parser
CVE-2013-3774 Network Layer
CVE-2013-3760 Oracle executable
CVE-2013-3771 Oracle executable
CVE-2013-3789 Core RDBMS
CVE-2013-3790 Core RDBMS
CVE-2013-1554 Network Layer
CVE-2013-1538 Network Layer
CVE-2012-3137 Core RDBMS
CVE-2012-1751 Core RDBMS
CVE-2012-3132 Core RDBMS
CVE-2012-3151 Core RDBMS
CVE-2012-3146 Core RDBMS
CVE-2012-1745 Network Layer
CVE-2012-1746 Network Layer
CVE-2012-1747 Network Layer
CVE-2012-3134 Core RDBMS
CVE-2012-0519 Core RDBMS
CVE-2012-0534 RDBMS Core
CVE-2012-0082 Core RDBMS
CVE-2012-0072 Listener
CVE-2011-2301 Oracle Text
CVE-2011-3512 Core RDBMS


Vulnerabilities in Optional or Partially Supported Components:

CVE-2014-6578 Workspace Manager
CVE-2014-6541 Recovery
CVE-2011-3389 Oracle Security Service
CVE-2013-0169 Oracle Security Service


Unsupported components (40 CVEs affected these components):

Java VM
Workload Manager
Enterprise Manager
Database Vault