One of the reasons why IT pros choose big-name brand products from companies like Oracle is the security they assume comes with them. This isn’t an in-house product whipped up by your college kid intern while he was simultaneously trying to write some term paper or something designed by a fly-by-night operation out of some guy’s garage. If it comes from a large company like Oracle, there’s a certain reassurance that the product has been tested and tinkered with by people who know what they’re doing. Right?
The vulnerabilities in MySQL exposed recently could leave a poorly configured server running MySQL vulnerable to anything from a brute force attack to a DoS attack to leaving a system wide-open for a hacker to stroll right in and make themselves at home. Not good news. The average time between when a hacker discovers and begins exploiting vulnerabilities and when developers or security pros learn about them is ten months, but it’s not uncommon for the exploitation to last years. How long have hackers actually known of MySQL’s vulnerabilities? As an Oracle pro, should you be concerned?
Let’s not panic. There’s no single huge vulnerability here to be exploited- just multiple vulnerabilities that all became apparent at once. Also, most of the vulnerabilities manifest themselves through sloppy configuration. If you have strong passwords, firewalls and access control lists, it’s fairly unlikely your organization will run into trouble (BUT! If you have any doubt as to the security of your configuration, please please please go look into that!).
Some users of forked versions of MySQL have said they’ve known about these issues for about a decade. So, here’s an ethics question that might bring you back to your undergraduate philosophy classes– who is responsible for catching vulnerabilities? Technically, this debacle could probably be blamed on Monty Widenius, the founder of MySQL. Shouldn’t he have caught these issues when he created MySQL? Even if he didn’t, should Sun have caught them after they bought MySQL from Monty? Or was this Oracle’s responsibility, having bought Sun and the rights to all their products? If users of forked versions have known about these vulnerabilities for so long, why have none of the big guys caught them? Basically, are companies ethically responsible to at least try to beat the hackers at finding potential vulnerabilities? Or am I being too hard on everyone here?