Oracle Issues 36 Patches, But Is Anyone Applying Them?

Many database administrators don’t always apply security patches to their environments in a speedy fashion, but that’s not stopping Oracle Corp. from releasing dozens of them on a quarterly basis.

The latest batch was released yesterday and includes fixes for 36 newly discovered vulnerabilities across a wide range of Oracle products.

The update was smaller than usual for Oracle and included fixes for 15 vulnerabilities in its database products, six in its application server products, and five in its e-business suite of products. The patches were released as part of the company’s quarterly critical patch update schedule which it introduced in November 2004.

The most severe of the flaws, according to a post in an Oracle company blog, is a vulnerability that affects an Apache plug-in for the Oracle WebLogic Server that the company inherited in its purchase of BEA Systems Inc. earlier this year.

Oracle said the flaw can be exploited remotely and gave it a rating of 10, the highest level on the company’s severity scale. A total of 11 of the flaws disclosed yesterday can be exploited remotely and therefore pose a greater danger than vulnerabilities that require an attacker to be authenticated on a system, according to Oracle.

The latest update is smaller than most of Oracle’s typical quarterly updates and appears to present less serious threats than usual, said Amichai Shulman, chief technology officer at database security firm Imperva Inc., which discovered two of the vulnerabilities that were patched this week. But what continues to be surprising is that some of the patches appear to be addressing issues for which patches had been issued previously, he said.

What that probably means is that “patching is very local to where the vulnerability is being reported,” Shulman said. Each time a flaw is discovered in a product component, the effort seems to be to patch that specific issue without going through code revision to eliminate the same vulnerability in other parts of the product, Shulman said.

For the most part, the vulnerabilities addressed in the latest update represent the usual mix of problems, such as buffer overflow errors and flaws that enable SQL injection attacks, said Slavik Markovich, chief technology officer at Sentrigo Inc., a vendor of database security products.

“Most of the vulnerabilities require some sort of authentication,” before a potential attacker can take advantage of them, Markovich said. But that alone should not lull anybody into thinking a flaw is not serious, because it doesn’t take much effort for attackers to steal a user or administrator’s credentials and authenticate themselves to a system, he said. Sentrigo discovered two of the vulnerabilities patched this week.

Oracle’s patches are typically released once a quarter on the same Tuesday that Microsoft Corp. releases its monthly patches. But unlike the case with Microsoft’s patches, there usually is no immediate rush to deploy Oracle’s database fixes, Shulman and Markovich said.

In many cases, companies, especially large ones with many databases, are reluctant to bring down production databases to implement new patches. Many are also wary about deploying untested patches in live environments or need to wait for their packaged application vendors to test and certify the patches before they can be deployed, they said.

As a result, there usually is a considerable lag time between when a patch becomes available from Oracle and when it gets deployed. In some cases, the lag can be months. Other users simply skip entire patch cycles and choose to deploy the patches on a yearly or twice-yearly basis, they said.

Sentrigo polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008 and found that two-thirds of Oracle DBAs apparently are not installing Oracle’s security patches at all, no matter how critical the vulnerabilities are.

Such practices can leave companies dangerously exposed to attacks directed against database vulnerabilities, Markovich said. Just as in the Windows world, security researchers and malicious attackers are able to reverse-engineer Oracle patches to figure out ways to exploit a vulnerability. The longer a company leaves a hole unpatched, the greater the risk that someone will find a way to take advantage of it, he said.

At the very least, companies that are unwilling or unable to deploy database patches quickly need to implement work-arounds that protect them from the flaws, Shulman added.

Oracle’s latest patches come in the wake of a recent study by the International Oracle User Group (IOUG) in which a large number of respondents expressed serious reservations about the security of their database environments.

The report was based on a survey of database administrators and other IT managers at more than 300 companies, about one-third of which were businesses with more than 10,000 employees. One in four of the respondents said that they believe their company databases were locked down adequately against malicious attack, while 20 percent said they expected their databases to be breached in the coming year.

Most of the organizations said their greatest threat came from insiders, who either had legitimate access to databases or had managed to get access illegally. However, many of the same organizations admitted that they didn’t have controls in place for preventing this sort of access by insiders. Other security issues that were cited by the respondents included the rampant use of production data by software development teams and the continued lack of encryption of sensitive data stored in databases.

The findings were not entirely unexpected, said Ian Abramson, president of the IOUG. Though there appears to be a growing awareness of security problems, companies often face a variety of challenges when it comes to addressing them, he said. In addition to such potential issues as downtime and costs, there is also the question of who will lead the initiative to address security vulnerabilities in the database environment. While DBAs have a role by themselves, they are unlikely to have the clout needed to effect major security changes, he said.

Abramson also stressed the need for companies to implement auditing and alerting measures to ensure that insider access to databases is monitored and logged. If those with inside access to databases know their activity is being watched, there will be less of a tendency to abuse that access, he said. Many of the features needed to do this sort of auditing are already available in the database or from third parties, he said. “To me, this is what people really have to be focusing on,” he said.