The best things in life may be free but in software, that statement isn’t so true. A free database based on the code of one of the most popular enterprise databases around sounds like a great deal, but it can quickly turn into a nightmare.
With data breaches becoming ever more common, storing data in an unpatched database is like playing Russian Roulette. Surprisingly, that’s exactly what anyone using Oracle Database Express Edition (Oracle Database XE) is doing, and there’s nothing they can do to stop it short of shelling out money for a paid Oracle product or migrating to a different database entirely.
Apparently, it comes as a surprise to many users of Oracle Database XE that when high-profile vulnerabilities, such as the ‘TNS Poisoning’ vulnerability (CVE 2012-1675) are announced that Oracle will not be supplying them with patches for their free product.
Unfortunately for users, Oracle doesn’t make it very clear that Oracle Database XE comes without any support at all, including upgrades (other than major editions, such as 10g Express to 11g Express, released nearly 6 years apart) or patches, no matter how severe the vulnerability.
It is stated in their license agreement – if anyone still reads those – but it’s easy to understand how users might assume that Oracle wouldn’t leave them completely vulnerable with a statement like:
“Our technical support organization will not provide technical support, phone support, or updates to you for the programs licensed under this agreement.”
Of course, one should never assume when it comes to license agreements.
The current version of Oracle Database 11g XE is based on Oracle Database 11.2, and was released in September 2011. Even with the best-case scenario that it was fully patched at the time of release, users of the XE database are currently exposed to three and a half years of publicly disclosed vulnerabilities.
Oracle has to-date released 15 Critical Patch Updates for Oracle Database 11.2 covering 88 vulnerabilities, and while not all components of Oracle Database 11.2 exist in Oracle Database XE, even after removing the vulnerabilities that affect components not included in XE, more than half of the vulnerabilities remain.
Given this, it’s hard to see a legitimate use case for Oracle Database XE, especially when the paid versions of Oracle Database can also be used unpatched for free “for the purpose of developing, testing, prototyping and demonstrating.” The only ‘advantage’ that the free version has is that you can “deploy, and distribute” it as well. However, given the security risks, you should certainly think twice before doing so.
In the case of Oracle Database XE, it seems that all free really means is “very vulnerable.”
Oracle Database Express 11g Vulnerabilities:
|CVE-2015-0455||XDB – XML Database|
|CVE-2015-0479||XDK and XDB – XML Database|
|CVE-2014-6577||XML Developer’s Kit for C|
Vulnerabilities in Optional or Partially Supported Components:
|CVE-2011-3389||Oracle Security Service|
|CVE-2013-0169||Oracle Security Service|
Unsupported components (40 CVEs affected these components):