Oracle puts out its share of security patches for its software. However, for many database administrators and IT professionals, the amount of manual labor involved and the threat of downtime can seem as troublesome as the vulnerability itself.
According to research by database security company Sentrigo, many Oracle DBAs are opting to put patches on hold in response to the everyday realities of managing security threats. Sentrigo took a rolling survey of DBAs, consultants and developers at Oracle Users Group meetings across the country beginning in August, ultimately collecting responses from 305 people.
What the company found – just 31 people, or roughly 10 percent of those surveyed, had deployed the most recent set of CPUs (critical patch updates) from Oracle. About 67.5 percent, or 206 respondents, said they had never applied a critical update from Oracle. The study did not ask if the respondents were using older versions of Oracle’s database products not addressed by the quarterly updates the company began issuing about three years ago.
“[The respondents] gave a couple of answers but I think the primary reason [is] … it’s a lot of work,” said Slavik Markovich, chief technology officer of Sentrigo. “Usually what DBAs are doing is waiting for full patch sets, so they are skipping the CPUs and waiting for full patch sets to be deployed.”
Though the survey did not question the size of the organizations represented – whether they were enterprises or small to midsized businesses, for example – Markovich said both camps were represented. With SMBs, he said, the issue is often one of manpower. For enterprises, the issue can also be the sheer number of databases involved.
Oracle on Jan. 15 is set to release its first CPU of 2008, complete with 27 security fixes across hundreds of its products. While Sentrigo officials urged Oracle customers to download the latest patches as quickly as possible, they themselves use virtual patching to protect against zero-day attacks against databases. Another partial answer is simply to upgrade to Oracle Database 11g, said Ari Kaplan, president of the Independent Oracle Users Group.
“For downtime, Oracle has introduced hot patching for Database 11g, enabling patches to be implemented without downtime,” he said. “If a company is not yet on 11g, they can do a complicated dance for rolling upgrades to avoid downtime. Or they need to schedule time in the middle of the night for applying patches.”
Kaplan said it was not uncommon for databases to be out-of-step with the latest CPU, and counted certification as a major obstacle to patch deployment.
“For certification, there is usually a matrix of which environments are known to be supported by the patch,” he said. “Home-grown applications may need to go through regression testing of applications. It all depends on where in the stack the patch is applied – database, server, application or other.”
He said different companies have different procedures and requirements that can contribute to their DBAs being on time or delayed with the patches.
“For example, if a corporate procedure calls for applying security patches within 24 hours of its release, it will be updated timely,” Kaplan said. “If it is left up to the DBA to decide, and they have other priorities or get caught in a meeting, the patch may be forgotten.”