A survery by Sentrigo indicates that most Oracle database administrators do not apply the Critical Patch Updates (CPUs) that Oracle issues on a quarterly basis. Oracle designed its CPU program to help customers protect databases and other products against recently discovered security vulnerabilities. However, security patching is largely neglected, which leaves databases open to exploits.

Although there are genuine hurdles to CPU installation, including downtime and concerns about compatibility with applications, the results indicate that many enterprises have not internalized the high risk presented by securing their databases with the latest patches.

Sentrigo has collected responses from professionals, mostly database administrators as well as consultants and developers. Results highlight that most organizations are not taking advantage of Oracle CPUs in a timely manner, if at all. Findings include:

• Just ten percent of the respondents applied the most recently issued Oracle CPU.
• 67.5 percent of the respondents said they had never applied any Oracle CPU.

In a Q&A with Help Net Security, Slavik Markovich, CTO at Sentrigo, commented on this situation.

In your opinion, how many unpatched critial Oracle deployments are there in the wild?

It is likely that 50% or more of the critical Oracle deployments are unpatched, or not fully patched. The actual numbers are hard to reproduce because it depends in your definition of critical. Is a test environment duplicated from a financial production database critical? In terms of data, I believe it is though some enterprises will not consider it so.

Should Oracle be doing more to enable users easier patching?

Oracle as a company is doing its best to provide its customers with a predictable process for its CPUs. The current process is based on what customers demanded. Oracle used to provide CPUs that included many non-security related patches but that made matters even worse. The latest CPU had an interesting new method of enabling partial deployment of only the relevant parts in the patch but it was only enabled to the latest Oracle 10.2.0.3 version.

On the other hand, even if Oracle is doing a lot, they can do more. One thing they are not providing is CPU support for all Oracle versions, even the officially supported ones. The latest CPU will not support almost all versions of 9i and 10gR1 (only 9.2.0.8 and 10.1.0.5 are supported).

Oracle is trying to strike a balance between disclosing enough about the vulnerabilities so that customers can decide what is relevant for them, and hiding information so that it can’t be used by hackers. I think they should be doing more on this front - there is little point in being mysterious when in fact hackers are able to analyze the patches very quickly and create scripting attacks that can be used even by database novices.

What are the biggest threats looming over unpatched Oracle vulnerabilities in the past year?

While we won’t disclose specific vulnerabilities, there are many vulnerabilities that allow remote attacks on the database, enabling an attacker without any credentials to own the database. Also, there are many vulnerabilities that allow privilege elevation thus allowing regular users to become administrators, and users with limited permissions to change critical tables. Such vulnerabilities are severe and dangerous both in terms of insiders accessing data they shouldn’t be accessing, as well as outside intruders managing to penetrate through the enterprise’s perimeter defenses.