Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:53 PM
Connect Directly

Few Oracle Customers Have Official Database Patching Policies

Joint survey by the Independent Oracle User Group and Oracle finds database patching practices weak

Most organizations running Oracle databases don't require the application of the database vendor's Critical Patch Updates -- in fact, only 26 percent need them, according to a new report .

"What I found interesting in the results, only about 1/3 of the respondents has organizational policies requiring regular applications of the CPU. Another 1/3 need to justify the patch, and the last 1/3 has no policy to apply Oracle security patches (or other vendors')," blogged Michelle Malcher, a database administrator and member of the Independent Oracle User Group, which, along with Oracle, conducted a joint online survey of customers' patching practices.

The survey, which included 150 respondents polled between May and August of last year, highlighted what many security experts long have said -- that many organizations either do not patch their Oracle databases or just can't keep up with them.

Around 19 percent of respondents said their organizations don't have specific policies for requiring security-patching for any applications, and 11 percent said their patching policies do not include Oracle database patching. According to the report, 30 percent have no official policies for CPUs, and 36 percent said they have to justify any Oracle patching. Around 6 percent only patch mission-critical databases.

Oracle shops are having trouble keeping up with the patch cycles, too. More than half (55 percent) said they are one or two patch cycles behind. Around 30 percent said they install updates before the next CPU is released; 25 percent are one CPU behind (three to six months), while 10 percent are two CPUs behind (six to nine months), 8 percent are three CPUs behind (nine to 12 months), and another 8 percent are more than 12 months behind in their patching. Another 11 percent said they never apply CPU patches.

Even so, the respondents said they were mostly satisfied with the CPU as a way to protect their databases. Around 42 percent said the process was effective or extremely effective in securing their database environments, and 45 percent said it was "somewhat" effective. Around 13 percent said the CPU process was ineffective.

When asked what would help institute more timely and consistent patching of Oracle CPUs, one-third said organizational policies, while another one-third said enhanced tools and documentation. Around 16 percent said a massive malware infection would improve patching, and 10 percent said they didn't need to change their patching behavior.

"Our database environments tend to be more complex with several different applications accessing several databases," Malcher blogged. "Applying patches tends to bring the fear of what is going to break, so having organizational patching policies would help offset having to justify the patching. In addition, having documentation or tools to better be able to test changes to the environment before the actual deployment of the CPUs would help reduce the risk of outages, and possibly reduce the cost and time required to implement a security patching policy."

Oracle, meanwhile, plans to explore ways to better educate its users about security patching, and will enhance its CPU documentation "in order to help customers determine which areas need to be tested in their environment prior to the deployment of Critical Patch Updates against production systems," according to the Oracle/Independent Oracle User Group report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...