Oracle Corp. on Tuesday released its Critical Patch Update fixing vulnerabilities across its database and application product lines.
Redwood Shores, Calif.-based Oracle said it's security update contained patches for 27 flaws, including eight flaws in Oracle Database, and six new security fixes for Oracle Application Server.
The more threatening database flaws included several SQL injection vulnerabilities and an XML DB handling error that could be exploited by an attacker without any special privileges, said Amichai Shulman, chief technology officer of Foster City, Calif.-based Imperva Inc. XML DB is a feature that provides native XML storage and retrieval technology within Oracle database.
The focus of this particular CPU should be on client side vulnerabilities, Shulman said. Five of the application server vulnerabilities may be remotely exploitable without authentication.
A problem with Oracle Jinitiator is one of the most critical vulnerabilities, Shulman said. Jinitiator enables end users to run Oracle Developer Server applications directly within Netscape Navigator or Internet Explorer on the Windows95/98/2000 and Windows NT4.0 platforms.
In addition, flaws were repaired in Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle PeopleSoft Enterprise products.
Meanwhile a new survey suggests that Oracle database administrators are failing to deploy patches. The survey however is far from scientific and some IT pros believe the results may be skewed.
The survey, conducted by Woburn, Mass.-based database security vendor, Sentrigo and polled 305 Oracle database administrators from 14 Oracle user groups between August 2007 and January 2008.
The vendor asked if the DBAs ever applied an Oracle CPU. The vendor said 206 out of those surveyed said they had never applied any Oracle CPUs. Only 31 said they installed the most recent security update from Oracle.
Slavik Markovich, chief technology officer at Sentrigo, said DBAs are ignoring CPUs for a variety of reasons. It is difficult to test and deploy updates without disrupting systems, he said.
"Oracle is the most complicated database with the most features and this makes its attack surface much larger," he said.
Markovich said the results of the survey are startling. In many cases, system stability and uptime may be trumping security, he said.
"The IT security guys may not be quite aware of what's going on in the database side," he said. "They think everything's being applied, but it's not."
Industry experts say its unclear whether the respondents in the survey are DBAs with Oracle databases in a production environment. For example, DBAs within a software development organization would not need to deploy patches right away. Most firms with multiple production databases are bound by compliance regulations to have a patching cycle, said Imperva's Shulman.
"I'm certain that vast majority of DBAs do not apply patches as they go out, because our surveys show that they are usually six to 12 months between patch cycles," Shulman said.