Two months after effectively being told to mind its own business by Oracle, a security research firm says six vulnerabilities it discovered in Oracle's software were patched by the vendor this month.
In a blog post that Oracle swiftly removed, Oracle CSO Mary Ann Davidson revealed in August that the vendor was clamping down on customers and consultants who "reverse engineer" its code in an effort to find vulnerabilities in it.
Alexander Polyakov, chief technology officer at ERPScan, who was among those who criticised Davidson's blog post at the time, claimed Oracle needs all the help it can get finding flaws in its code.
"The best way to make researchers mad is to tell them you don't need them," Polyakov (pictured) told CRN.
"It took us less than a day to find a dozen issues in Oracle's most critical Business application - Oracle E-Business Suite - and I can't say that it was really hard. XSS, SQL Injection, XXS and User enumeration vulnerabilities - the basics of Application Security are here. All of them were identified by interns from our research team easily. What else can I add?"
The six vulnerabilities discovered by ERPScan that Oracle plugged were related to XSS Vulnerability, SQL Injection vulnerability, XXE Injection Vulnerabilities and User Enumeration vulnerability, according to ERPScan. Some of those issues (SQL Injection and XXE Injections) allow an attacker to gain unauthorised access to the business application with administrator rights, ERPScan claimed.
Back in August, Davidson argued that the practice of reverse-engineering breaches Oracle's Ts and Cs, adding that Oracle is "pretty good" at analysing its own code and finds 87 per cent of security vulnerabilities itself.
But some argued at the time that Oracle should be encouraging - rather than condemning - researchers for finding chinks in its code at a time when ERP software is coming under increasingly widespread attack from cybercriminals.
Oracle declined to comment but made it clear at the time that it pulled Davidson's post because it did not "reflect its beliefs".
Security firm set to become part of acquisitive Shearwater Group
Distributor merges three northern sites into one new hub in Warrington
Activist investor puts forward five director candidates as turmoil continues at security giant
Nima Green asks what is driving public cloud uptake in Germany