Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/27/2009
12:53 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Few Oracle Customers Have Official Database Patching Policies

Joint survey by the Independent Oracle User Group and Oracle finds database patching practices weak

Most organizations running Oracle databases don't require the application of the database vendor's Critical Patch Updates -- in fact, only 26 percent need them, according to a new report .

"What I found interesting in the results, only about 1/3 of the respondents has organizational policies requiring regular applications of the CPU. Another 1/3 need to justify the patch, and the last 1/3 has no policy to apply Oracle security patches (or other vendors')," blogged Michelle Malcher, a database administrator and member of the Independent Oracle User Group, which, along with Oracle, conducted a joint online survey of customers' patching practices.

The survey, which included 150 respondents polled between May and August of last year, highlighted what many security experts long have said -- that many organizations either do not patch their Oracle databases or just can't keep up with them.

Around 19 percent of respondents said their organizations don't have specific policies for requiring security-patching for any applications, and 11 percent said their patching policies do not include Oracle database patching. According to the report, 30 percent have no official policies for CPUs, and 36 percent said they have to justify any Oracle patching. Around 6 percent only patch mission-critical databases.

Oracle shops are having trouble keeping up with the patch cycles, too. More than half (55 percent) said they are one or two patch cycles behind. Around 30 percent said they install updates before the next CPU is released; 25 percent are one CPU behind (three to six months), while 10 percent are two CPUs behind (six to nine months), 8 percent are three CPUs behind (nine to 12 months), and another 8 percent are more than 12 months behind in their patching. Another 11 percent said they never apply CPU patches.

Even so, the respondents said they were mostly satisfied with the CPU as a way to protect their databases. Around 42 percent said the process was effective or extremely effective in securing their database environments, and 45 percent said it was "somewhat" effective. Around 13 percent said the CPU process was ineffective.

When asked what would help institute more timely and consistent patching of Oracle CPUs, one-third said organizational policies, while another one-third said enhanced tools and documentation. Around 16 percent said a massive malware infection would improve patching, and 10 percent said they didn't need to change their patching behavior.

"Our database environments tend to be more complex with several different applications accessing several databases," Malcher blogged. "Applying patches tends to bring the fear of what is going to break, so having organizational patching policies would help offset having to justify the patching. In addition, having documentation or tools to better be able to test changes to the environment before the actual deployment of the CPUs would help reduce the risk of outages, and possibly reduce the cost and time required to implement a security patching policy."

Oracle, meanwhile, plans to explore ways to better educate its users about security patching, and will enhance its CPU documentation "in order to help customers determine which areas need to be tested in their environment prior to the deployment of Critical Patch Updates against production systems," according to the Oracle/Independent Oracle User Group report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4396
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4410
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539.
CVE-2020-4459
PUBLISHED: 2020-08-04
IBM Security Verify Access 10.7 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 181395.
CVE-2020-4525
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 1...
CVE-2020-4542
PUBLISHED: 2020-08-04
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-force ID: 1...