Oracle issues 36 patches, but is anyone applying them?
DBAs face quarterly conundrum: To patch or not to patch
Computerworld - Many database administrators don't always apply security patches to their environments in a speedy fashion, but that's not stopping Oracle Corp. from releasing dozens of them on a quarterly basis.
The latest batch was released yesterday and includes fixes for 36 newly discovered vulnerabilities across a wide range of Oracle products.
The update was smaller than usual for Oracle and included fixes for 15 vulnerabilities in its database products, six in its application server products, and five in its e-business suite of products. The patches were released as part of the company's quarterly critical patch update schedule which it introduced in November 2004.
The most severe of the flaws, according to a post in an Oracle company blog, is a vulnerability that affects an Apache plug-in for the Oracle WebLogic Server that the company inherited in its purchase of BEA Systems Inc. earlier this year.
Oracle said the flaw can be exploited remotely and gave it a rating of 10, the highest level on the company's severity scale. A total of 11 of the flaws disclosed yesterday can be exploited remotely and therefore pose a greater danger than vulnerabilities that require an attacker to be authenticated on a system, according to Oracle.
The latest update is smaller than most of Oracle's typical quarterly updates and appears to present less serious threats than usual, said Amichai Shulman, chief technology officer at database security firm Imperva Inc., which discovered two of the vulnerabilities that were patched this week. But what continues to be surprising is that some of the patches appear to be addressing issues for which patches had been issued previously, he said.
What that probably means is that "patching is very local to where the vulnerability is being reported," Shulman said. Each time a flaw is discovered in a product component, the effort seems to be to patch that specific issue without going through code revision to eliminate the same vulnerability in other parts of the product, Shulman said.
For the most part, the vulnerabilities addressed in the latest update represent the usual mix of problems, such as buffer overflow errors and flaws that enable SQL injection attacks, said Slavik Markovich, chief technology officer at Sentrigo Inc., a vendor of database security products.
"Most of the vulnerabilities require some sort of authentication," before a potential attacker can take advantage of them, Markovich said. But that alone should not lull anybody into thinking a flaw is not serious, because it doesn't take much effort for attackers to steal a user or administrator's credentials and authenticate themselves to a system, he said. Sentrigo discovered two of the vulnerabilities patched this week.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts