Oracle is the goto guy of enterprise databases. Data is the anchor for corporations with global reach and large organizations have clusters of databases for security, performance and to deal with the complexity and scope of operations. That dependable Oracle database has been holed below the waterline.
Infoworld has discovered that there is a fundamental flaw with the counters that allow transactions on Oracle database to be synchronized around the globe. There is a Y2K-like error in the way backups and some transactions cause the counter to be incremented towards the upper limit of the counter’s value. The result is an intruder using routine commands could break the database. The larger and more nodes the database has the bigger the vulnerability. Basically a storm of increments to allow for synchronization can rather quickly bring the counter to its limit.
There are a couple of fixes for this problem: a temporary shutdown to reset the counter and/or a patch that Oracle has developed. Either are a costly interruption in the service upon which Oracle has built a saleable reputation.
This is another example of how IT with a monoculture of software can leave itself open to serious threats. That even the normal backup procedure relied upon for the ultimate security layer is a part of the problem must be giving system admins nightmares. I would bet there are a lot of Post-itTM notes up today logging the idea of rethinking the databasery of large organizations and aspiring smaller organizations. I would bet some are considering PostgreSQL or dual-database systems to close out the possibility of database-Armageddon in the future. I would bet a few intruders will find unpatched systems out there with which to create some chaos.
The ultimate blow to Oracle’s reputation in all this is that Oracle was aware of the problem and assumed users would never find it. They were counting on security through obscurity.
“After much discussion and exchange of technical data, Oracle acknowledged that there were ways to increase the SCN at will. Referring to one method, Townsend said, “This is an undocumented, hidden parameter, so it was never intended for customers to discover and use this.”
However, we pointed out that there were several other methods that could be used; we sent those to Oracle as well.”
Is that good enough for a licence that costs £31,839.00 / Processor?
Once again, we see that dependence/lock-in to a single source of supply for anything in IT can be fatal. We saw that in Wintel (both costs and malware), hard drives made in Malaysia (flooding interrupted supply), and now databases. IT systems need to be robust and flexible which is not what lock-in gives.
For those considering PostgreSQL, you might be interested in the offerings by EnterpriseDB.
“EnterpriseDB is the only world wide provider of enterprise-class products and services based on PostgreSQL, the world’s most advanced and independent open source database.
Postgres Plus Advanced Server provides the most popular enterprise class features found in the leading proprietary products but at a dramatically lower total cost of ownership across transaction intensive as well as read intensive applications. Advanced Server also enables seamless migrations from Oracle® that save up to 90% of the cost of typical migrations.”
10349
8016
107
2
0
14332 
7212 
7166 
2724 
2035 
1233 
198 
7 
0 
0 
0 
0 