Oracle Continues Issuing Huge Security Patches

Oracle’s critical security patch releases in 2015 have been anything but routine, with each of the three to date designed to address roughly 100 vulnerabilities.

Although critical security patches are released for Oracle products four times a year, database professionals need to be attentive to security 24/7/365, making certain all databases are secured and backed up to prevent vulnerabilities from being exploited by unauthorized parties.

Security vulnerabilities are anything that might increase the risk of attack to a computer system.

There are a broad range of potential security vulnerabilities, of which product weaknesses are one. (Examples of other possible vulnerabilities include insecure passwords, malware, or misconfigured systems.)

The July 2015 Critical Patch Update includes 193 fixes, 10 of which are for Oracle Database. Another 44 of these are intended to address third-party components. The potential database vulnerabilities included two that would allow an individual to remotely exploit the database without authentication.

Other security patches issued cover MySQL, Oracle Database, and Oracle Enterprise Manager.

In Oracle’s words:

“Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

Security is essential to organizations of all sizes. Databases are but one essential portion of the computing infrastructure that must be secured in order to protect an organization’s data, finances, and reputation.

Oracle began taking some hits in the media in August 2015 after Mary Ann Davidson, its chief security officer, posted what some viewed as “a long, ranting tirade” related to her frustrations with security researchers. As Robert Hackett explained for Fortune, Davidson is “irritated by how often she’s had to have a particular conversation with computer crackers,” to the point that she wrote a lengthy blog post on the issue. “While the hackers like to point out what they deem to be security flaws in Oracle software—in the hopes of winning compensation and credit,” explained Hackett, “she has to keep telling them that they’re violating their licenses by engaging in such research.”

Oracle ultimately took the post down, “as it does not reflect our beliefs or our relationship with our customer,” according to a media statement from Edward Screven, Oracle executive vice president and chief corporate architect.

Although the post may have gone away relatively quickly, fallout from the matter decidedly did not.

Security professionals and journalists alike have taken note of the large number of Oracle vulnerabilities. The January 2015 security update, for example, resolved 169 vulnerabilities, while almost 100 security flaws across the product line were addressed by Oracle in its April 2015 Critical Patch Update. The April updates included four issues related to Oracle Database and 26 MySQL updates, four of which were related to remote exploitation without authentication.

To be fair, the Avant Browser was listed as the most vulnerable product in the Secunia Research July 2015 Vulnerability Update. With 206 vulnerabilities, it led the list for that month, but the firm notes there have been 1,993 recorded vulnerabilities in products between January 1 and July 31, 2015, which is on a par with the same period in 2014. However, a greater number of these are either extremely or highly critical vulnerabilities. The firm advises:

“In fact, rather than keeping an eye on the news stories about vulnerabilities as they pop up, you are much better off simply realizing that all software, hardware, middleware and firmware is potentially and probably vulnerable and that the product name doesn’t guarantee much – certainly not impregnable code.”

The full list of affected Oracle products is contained within the Oracle Critical Patch Update Advisory for July and April.

Oracle regularly releases critical patch updates in January, April, July, and October. The next regularly scheduled update is scheduled for October 20, 2015.

Datavail can help your organization with applying patches, testing fixes, and backing up data. Contact Datavail to discuss a custom Oracle solution designed for your enterprise and to learn more about our remote database services and how our experts can help with your projects or operations.

For more solutions to both common and advanced database administration related questions, visit Datavail’s frequently updated blog.