On 17 January 2006, Oracle released its latest Critical Patch Update (CPU), which includes patches for 82 vulnerabilities across multiple product lines, including: all currently supported Oracle databases; Oracle Application Server; Oracle Enterprise Manager; Oracle Collaboration Suite; Oracle E-Business Suite; PeopleSoft applications; and JD Edwards applications. Oracle has made information on related security issues and practices available at:
Gartner supports the quarterly CPU program, which enables system administrators to plan and schedule Oracle maintenance. However, the range and seriousness of the vulnerabilities patched in this update cause us great concern. The database products alone include 37 vulnerabilities, many rated as easily exploitable and some potentially allowing remote database access. Oracle has not yet experienced a mass security exploit, but this does not mean that one will never occur.
Many Oracle administrators rely on a combination of the company's historically strong security and the fact that Oracle applications and databases are typically located deep within the enterprise, and so neglect to patch their systems regularly. Moreover, patching is sometimes impossible, due to ties to legacy versions that Oracle no longer supports. These practices are no longer acceptable, because:
Recommendations for enterprises using Oracle databases and applications
1. Move immediately to shield these systems as well as possible, using firewalls, intrusion prevention systems and other technologies. Develop a shielding schedule that coincides with Oracle CPU release dates.
2. Apply the available patches as rapidly as possible, because incomplete information from Oracle will necessarily make shielding incomplete.
3. Use alternative security tools, such as activity-monitoring technologies, to detect unusual activity.
4. Pressure Oracle to change its security management practices.
Analytical Source: Rich Mogull, Gartner Research
Recommended Reading and Related Research
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)
|Resource Id: 488567|