Skip to content ↓ | Skip to navigation ↓

The best things in life may be free but in software, that statement isn’t so true. A free database based on the code of one of the most popular enterprise databases around sounds like a great deal, but it can quickly turn into a nightmare.

OracleWith data breaches becoming ever more common, storing data in an unpatched database is like playing Russian Roulette. Surprisingly, that’s exactly what anyone using Oracle Database Express Edition (Oracle Database XE) is doing, and there’s nothing they can do to stop it short of shelling out money for a paid Oracle product or migrating to a different database entirely.

Apparently, it comes as a surprise to many users of Oracle Database XE that when high-profile vulnerabilities, such as the ‘TNS Poisoning’ vulnerability (CVE 2012-1675) are announced that Oracle will not be supplying them with patches for their free product.

Unfortunately for users, Oracle doesn’t make it very clear that Oracle Database XE comes without any support at all, including upgrades (other than major editions, such as 10g Express to 11g Express, released nearly 6 years apart) or patches, no matter how severe the vulnerability.

It is stated in their license agreement – if anyone still reads those – but it’s easy to understand how users might assume that Oracle wouldn’t leave them completely vulnerable with a statement like:

“Our technical support organization will not provide technical support, phone support, or updates to you for the programs licensed under this agreement.”

Of course, one should never assume when it comes to license agreements.

The current version of Oracle Database 11g XE is based on Oracle Database 11.2, and was released in September 2011. Even with the best-case scenario that it was fully patched at the time of release, users of the XE database are currently exposed to three and a half years of publicly disclosed vulnerabilities.

Oracle has to-date released 15 Critical Patch Updates for Oracle Database 11.2 covering 88 vulnerabilities, and while not all components of Oracle Database 11.2 exist in Oracle Database XE, even after removing the vulnerabilities that affect components not included in XE, more than half of the vulnerabilities remain.

Given this, it’s hard to see a legitimate use case for Oracle Database XE, especially when the paid versions of Oracle Database can also be used unpatched for free “for the purpose of developing, testing, prototyping and demonstrating.” The only ‘advantage’ that the free version has is that you can “deploy, and distribute” it as well. However, given the security risks, you should certainly think twice before doing so.

In the case of Oracle Database XE, it seems that all free really means is “very vulnerable.”

Oracle Database Express 11g Vulnerabilities:

CVE-2015-0455 XDB – XML Database
CVE-2015-0483 Core RDBMS
CVE-2015-0479 XDK and XDB – XML Database
CVE-2014-6567 Core RDBMS
CVE-2014-6577 XML Developer’s Kit for C
CVE-2015-0371 Core RDBMS
CVE-2014-6514 PL/SQL
CVE-2015-0370 Core RDBMS
CVE-2014-6544 JDBC
CVE-2014-4289 JDBC
CVE-2014-2478 Core RDBMS
CVE-2014-4236 RDBMS Core
CVE-2014-4237 RDBMS Core
CVE-2014-4245 RDBMS Core
CVE-2014-2406 Core RDBMS
CVE-2014-2408 Core RDBMS
CVE-2013-5853 Core RDBMS
CVE-2014-0377 Core RDBMS
CVE-2013-5858 Core RDBMS
CVE-2013-5764 Core RDBMS
CVE-2013-3826 Core RDBMS
CVE-2013-3751 XML Parser
CVE-2013-3774 Network Layer
CVE-2013-3760 Oracle executable
CVE-2013-3771 Oracle executable
CVE-2013-3789 Core RDBMS
CVE-2013-3790 Core RDBMS
CVE-2013-1554 Network Layer
CVE-2013-1538 Network Layer
CVE-2012-3137 Core RDBMS
CVE-2012-1751 Core RDBMS
CVE-2012-3132 Core RDBMS
CVE-2012-3151 Core RDBMS
CVE-2012-3146 Core RDBMS
CVE-2012-1745 Network Layer
CVE-2012-1746 Network Layer
CVE-2012-1747 Network Layer
CVE-2012-3134 Core RDBMS
CVE-2012-0519 Core RDBMS
CVE-2012-0534 RDBMS Core
CVE-2012-0082 Core RDBMS
CVE-2012-0072 Listener
CVE-2011-2301 Oracle Text
CVE-2011-3512 Core RDBMS

 

Vulnerabilities in Optional or Partially Supported Components:

CVE-2014-6578 Workspace Manager
CVE-2014-6541 Recovery
CVE-2011-3389 Oracle Security Service
CVE-2013-0169 Oracle Security Service

 

Unsupported components (40 CVEs affected these components):

Java VM
OJVM
JPublisher
SQLJ
Spatial
Workload Manager
Enterprise Manager
Database Vault

 

Hacking Point of Sale
  • John Walker

    This is, in my opinion a disgusting tactic that offers a free product with the associated hook to leave the product exposed – and in the current age of threats, this is a position which is criminal by inference. However, this is no surprise, as only this last weekend I was in the company of an ex Oracle Sales person, and to say the least, what was shared suggested a very sharp company who leverage every and any opportunity to extract funds from licensed products, where the end user has been misguided to think they have a good deal – however, when it comes down to leaving systems exposed to attack and security compromise, this is just about as low as you can go.

    By the way – great article.

    • Tim

      Why do you think there was such a shift to say … Postgres?

  • John Walker

    If I may, I would add, this is very much aligned to my next article, and does expand on the issue of insecurity, and even more – 'ethics'.

  • Anmol Vachan

    This is the truth that the data breaches becoming ever more common, storing data in an unpatched database is really unsecured even I will say, you are on exposed to danger. Thank you for the clarification.