So October's CPU is out. "Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply fixes as soon as possible.
This Critical Patch Update contains 36 new security fixes across all products."
Earlier this week, Amichai wrote about the lack of valuable information that would assist the DBA to determine what's at risk. DBA will face the regular challenge - to patch or not to patch, and we've read previous comments on this subject.
This CPU includes many vulnerabilities that were discovered by the growing community of database researchers and reported to Oracle. Some of the vulnerabilities were discovered nearly 3 years ago and were fixed only now. From a risk perspective I can reach the following conclusions:
Earlier this week, Amichai wrote about the lack of valuable information that would assist the DBA to determine what's at risk. DBA will face the regular challenge - to patch or not to patch, and we've read previous comments on this subject.
This CPU includes many vulnerabilities that were discovered by the growing community of database researchers and reported to Oracle. Some of the vulnerabilities were discovered nearly 3 years ago and were fixed only now. From a risk perspective I can reach the following conclusions:
- It takes a very long time to fix discovered vulnerabilities. There must be more.
- The number of researchers that are capable to break the database products and protocol is increasing. There must be other people that are capable to reproduce the exploit.
The biggest concern I have is related to the underlying protocol that is used by Oracle products. The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools and Siebel Enterprise will use and connect to the dabase using the same protocol that is patched over and over again over the years. This is just a partial list of products taken from the first paragraph of Oracle's advisory!
Database Security solutions must provide insights (monitoring and auditing) as well as protections for the protocol itself. While I'm using Oracle as an example, the security risk is similar with other databases as well. Database security solutions must look into the following aspects of the database protocols: message types, authentication data, header flags, header structure, header size, parameter length, login data, message type, protocol statement, protocol actions
Database Security solutions must provide insights (monitoring and auditing) as well as protections for the protocol itself. While I'm using Oracle as an example, the security risk is similar with other databases as well. Database security solutions must look into the following aspects of the database protocols: message types, authentication data, header flags, header structure, header size, parameter length, login data, message type, protocol statement, protocol actions
Leave a comment