Oracle issues 36 patches, but is anyone applying them?
DBAs face quarterly conundrum: To patch or not to patch
Computerworld - Many database administrators don't always apply security patches to their environments in a speedy fashion, but that's not stopping Oracle Corp. from releasing dozens of them on a quarterly basis.
The latest batch was released yesterday and includes fixes for 36 newly discovered vulnerabilities across a wide range of Oracle products.
The update was smaller than usual for Oracle and included fixes for 15 vulnerabilities in its database products, six in its application server products, and five in its e-business suite of products. The patches were released as part of the company's quarterly critical patch update schedule which it introduced in November 2004.
The most severe of the flaws, according to a post in an Oracle company blog, is a vulnerability that affects an Apache plug-in for the Oracle WebLogic Server that the company inherited in its purchase of BEA Systems Inc. earlier this year.
Oracle said the flaw can be exploited remotely and gave it a rating of 10, the highest level on the company's severity scale. A total of 11 of the flaws disclosed yesterday can be exploited remotely and therefore pose a greater danger than vulnerabilities that require an attacker to be authenticated on a system, according to Oracle.
The latest update is smaller than most of Oracle's typical quarterly updates and appears to present less serious threats than usual, said Amichai Shulman, chief technology officer at database security firm Imperva Inc., which discovered two of the vulnerabilities that were patched this week. But what continues to be surprising is that some of the patches appear to be addressing issues for which patches had been issued previously, he said.
What that probably means is that "patching is very local to where the vulnerability is being reported," Shulman said. Each time a flaw is discovered in a product component, the effort seems to be to patch that specific issue without going through code revision to eliminate the same vulnerability in other parts of the product, Shulman said.
For the most part, the vulnerabilities addressed in the latest update represent the usual mix of problems, such as buffer overflow errors and flaws that enable SQL injection attacks, said Slavik Markovich, chief technology officer at Sentrigo Inc., a vendor of database security products.
"Most of the vulnerabilities require some sort of authentication," before a potential attacker can take advantage of them, Markovich said. But that alone should not lull anybody into thinking a flaw is not serious, because it doesn't take much effort for attackers to steal a user or administrator's credentials and authenticate themselves to a system, he said. Sentrigo discovered two of the vulnerabilities patched this week.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!