Oracle issues 36 patches, but is anyone applying them?
DBAs face quarterly conundrum: To patch or not to patch
Computerworld - Many database administrators don't always apply security patches to their environments in a speedy fashion, but that's not stopping Oracle Corp. from releasing dozens of them on a quarterly basis.
The latest batch was released yesterday and includes fixes for 36 newly discovered vulnerabilities across a wide range of Oracle products.
The update was smaller than usual for Oracle and included fixes for 15 vulnerabilities in its database products, six in its application server products, and five in its e-business suite of products. The patches were released as part of the company's quarterly critical patch update schedule which it introduced in November 2004.
The most severe of the flaws, according to a post in an Oracle company blog, is a vulnerability that affects an Apache plug-in for the Oracle WebLogic Server that the company inherited in its purchase of BEA Systems Inc. earlier this year.
Oracle said the flaw can be exploited remotely and gave it a rating of 10, the highest level on the company's severity scale. A total of 11 of the flaws disclosed yesterday can be exploited remotely and therefore pose a greater danger than vulnerabilities that require an attacker to be authenticated on a system, according to Oracle.
The latest update is smaller than most of Oracle's typical quarterly updates and appears to present less serious threats than usual, said Amichai Shulman, chief technology officer at database security firm Imperva Inc., which discovered two of the vulnerabilities that were patched this week. But what continues to be surprising is that some of the patches appear to be addressing issues for which patches had been issued previously, he said.
What that probably means is that "patching is very local to where the vulnerability is being reported," Shulman said. Each time a flaw is discovered in a product component, the effort seems to be to patch that specific issue without going through code revision to eliminate the same vulnerability in other parts of the product, Shulman said.
For the most part, the vulnerabilities addressed in the latest update represent the usual mix of problems, such as buffer overflow errors and flaws that enable SQL injection attacks, said Slavik Markovich, chief technology officer at Sentrigo Inc., a vendor of database security products.
"Most of the vulnerabilities require some sort of authentication," before a potential attacker can take advantage of them, Markovich said. But that alone should not lull anybody into thinking a flaw is not serious, because it doesn't take much effort for attackers to steal a user or administrator's credentials and authenticate themselves to a system, he said. Sentrigo discovered two of the vulnerabilities patched this week.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!