Tuesday, January 22, 2008

Did you (ever) patch your Oracle...??

Shock to see 26 patches - CJ7Dozens of security patches were issued every quarterly by Oracle. Last week, they release 26 security fixes across its product line, including nine that address remotely exploitable flaws.
There are five of the six vulnerabilities in Oracle's Application Server can be exploited over a network without the need for a username or password.
Due to the threat posed by a successful attack, Oracle strongly recommends their customers to apply the fixes as soon as possible.

-Don't be shock, only 26 patches
Don't be shock to see 26 patches for the latest patch update (compare with Microsoft's 2 patches), there were 51 fixes in October's update. Furthermore, it is a quarterly update (instead of monthly by Microsoft).

-Don't be surprise, two-third did not patch
But to my surprise, according to survey results from Sentrigo Inc., vendor of database security products, two-thirds of the Oracle DBAs did not fixed Oracle's security patches at all (no matter how critical the vulnerabilities). The survey was done on 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008.

Some might think that the result is abit skeptical, using it to sell patching solution. But from my experience in managing critical servers, i think the survey result is quite credible. There are many concerns when applying patches to enterprise servers, which involve databases and applications inter-relationship.

Here are some common concerns face by DBA,
"You change the database behavior in some ways that may affect application performance".
Typically before applying the patches, it will involve testing against the applications that feed off the database. "This is a very long and very hard process to do, especially if you are in enterprises with a large number of databases and applications". Require months of labor and sometimes significant downtime, which most companies can't afford.
Some application vendors don't certify Oracle patches to run with their applications, making companies unwillingly to apply the patches.

Hopefully, after reading this blog, let your management understand the concerns for patching the server and accept the risks if they decided not to patch. At least you will not be seeing surprised faces (like Stephen Chow above) from the management when the system crashed (during patching) or hacked (when system not patched).

Related Reports:
- Oracle Critical Patch Update Advisory - January 2008

- Two-thirds of Oracle DBAs don't apply security patches (ComputerWorld)

No comments: