Oracle issues 36 patches, but is anyone applying them?
DBAs face quarterly conundrum: To patch or not to patch
Computerworld - Many database administrators don't always apply security patches to their environments in a speedy fashion, but that's not stopping Oracle Corp. from releasing dozens of them on a quarterly basis.
The latest batch was released yesterday and includes fixes for 36 newly discovered vulnerabilities across a wide range of Oracle products.
The update was smaller than usual for Oracle and included fixes for 15 vulnerabilities in its database products, six in its application server products, and five in its e-business suite of products. The patches were released as part of the company's quarterly critical patch update schedule which it introduced in November 2004.
The most severe of the flaws, according to a post in an Oracle company blog, is a vulnerability that affects an Apache plug-in for the Oracle WebLogic Server that the company inherited in its purchase of BEA Systems Inc. earlier this year.
Oracle said the flaw can be exploited remotely and gave it a rating of 10, the highest level on the company's severity scale. A total of 11 of the flaws disclosed yesterday can be exploited remotely and therefore pose a greater danger than vulnerabilities that require an attacker to be authenticated on a system, according to Oracle.
The latest update is smaller than most of Oracle's typical quarterly updates and appears to present less serious threats than usual, said Amichai Shulman, chief technology officer at database security firm Imperva Inc., which discovered two of the vulnerabilities that were patched this week. But what continues to be surprising is that some of the patches appear to be addressing issues for which patches had been issued previously, he said.
What that probably means is that "patching is very local to where the vulnerability is being reported," Shulman said. Each time a flaw is discovered in a product component, the effort seems to be to patch that specific issue without going through code revision to eliminate the same vulnerability in other parts of the product, Shulman said.
For the most part, the vulnerabilities addressed in the latest update represent the usual mix of problems, such as buffer overflow errors and flaws that enable SQL injection attacks, said Slavik Markovich, chief technology officer at Sentrigo Inc., a vendor of database security products.
"Most of the vulnerabilities require some sort of authentication," before a potential attacker can take advantage of them, Markovich said. But that alone should not lull anybody into thinking a flaw is not serious, because it doesn't take much effort for attackers to steal a user or administrator's credentials and authenticate themselves to a system, he said. Sentrigo discovered two of the vulnerabilities patched this week.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts