Four times a year Oracle issues its Critical Patch Update (CPU) to address security vulnerabilities in its technologies. According to database-security firm Sentrigo, Oracle’s efforts may well be underutilized by its users.
Sentrigo found that only 10 percent of respondents in a study of Oracle User Group attendees reported they were up to date and had installed the
latest Oracle CPU.
A staggering 67.5 percent of respondents admitted they had never applied any Oracle CPU. The study results come on the eve of Oracle’s January CPU release in which 27 issues are expected to be addressed.
Slavik Markovich, CTO of Sentrigo, told InternetNews.com of a few other trends he noticed among the user group’s attendees and Sentrigo customers.
Overall, Markovich noted a lack of awareness — especially among IT security professionals — of open database vulnerabilities.
He also reported a lack of CPU certification for some applications. For example, if you have an SAP system running atop an Oracle database, it may not be certified to run on the recent CPUs.
Markovich also mentioned that security tasks have a low priority for the average database administrator (DBA), as enterprises judge them instead on uptime and performance.
While some databases are publicly accessible from the Internet, many Oracle databases are not.
Nevertheless, users that choose not to download the latest Oracle CPU can be at risk either way.
Markovich admitted that nonpublic databases are less at risk from outside intrusion. That said, he noted that even databases not directly accessible from the Internet can be hacked into as long as an unbroken physical connection exists. Insiders using publicly available exploits can gain DBA privileges with no need for any database expertise and pose additional risks.
DBAs’ failure to ensure their databases remain up to date comes despite Oracle’s efforts to boost user adoption.
“The CPU system was Oracle’s response to customer requests a couple of years back,” Markovich said. The current system “is a big improvement on the previous method that was less organized and did not have enough disclosure to allow customers to make informed decisions.”
In recent CPUs, Oracle has introduced additional improvements that provide more details about the vulnerabilities and their severity.
“Ultimately there is an inherent complexity to database patching,” Markovich explained. “And while Oracle could still make things incrementally easier, there has to be recognition on the customer side that security has to be worked into the normal database administration routine.”
An Oracle spokesperson was not immediately available for comment.
Oracle users aren’t alone in not updating their software to the latest version of patched software. A recent survey from security vendor Secunia found similar results of people not using updated software for a wide range of applications.