News Stay informed about the latest enterprise technology news and product updates.

Oracle security patches causing headaches

Oracle Corp. released a batch of security patches earlier this month, addressing dozens of vulnerabilities discovered this year. With limited information on each patch, DBAs are being forced to take entire systems out of production. @5709

Oracle security expert Arup Nanda said Oracle's latest alert is frustrating to DBAs since very little information was released with each patch. With little information to go on, many enterprises are being forced to take entire systems out of production, Nanda said.

Nanda, a Norwalk, Conn.-based DBA who is president of Proligence, an Oracle consultancy, is co-author of a new book called Oracle Privacy Security Auditing. The book focuses on security and auditing regulations for the health-care industry; these rules are part of the Health Insurance Portability and Accountability Act of 1996.


In an interview with, Nanda discusses what steps companies are taking to install the first round of patches from Oracle and whether the software giant can respond more efficiently when vulnerabilities are discovered.

Why is the latest group of patches causing headaches to DBAs?
Security Alert, No. 68, is really confusing and frustrating because Oracle gives little detail in the advisory as to the exact nature of the issues. We know that the patches eliminate vulnerabilities in the database server and the listener, in the application server and in the enterprise manager. But the Collaboration Suite and E-Business Suite are also affected. DBAs like to be absolutely certain that they need the patch and how much downtime is needed, and in this case, it is impossible to be certain because so little information is available. Entire systems are being taken down and that doesn't make anybody happy. What is your advice to DBAs dealing with the patches?
Because no component is listed, DBAs should make every effort to apply the patch. It is a difficult process to get approval for downtime. All we know is that this patch addresses a very serious vulnerability, but we don't know exactly what it does affect. If you have an open system, there is a very good possibility that it could be easily exploited, but if have a well-tied system to firewall, you don't have to take any immediate action. What stage are DBAs in preparing to deploy these patches?
Most folks are still evaluating what has to be done and some folks are waiting for their next scheduled downtime to apply the patches. My recommendation is to apply the patches immediately, but I can't blame anybody for waiting for a scheduled downtime, because downtime costs the company money. How has the latest vulnerabilities and Oracle's response affected the company's image?

Expert tips for securing Oracle DBMS

Visit our DBMS security center

The vulnerabilities definitely hurt their image. Today, many senior managers know all about these vulnerabilities, that Oracle issued a patch without disclosing a reason, and this doesn't make anyone happy. Microsoft has released patches in a similar fashion, but when you bring down a Windows system, it is not as visible as an Oracle database. What can Oracle do to respond better in the future?
Oracle should specifically say which components are affected, because then DBAs can determine if the entire system needs to be taken out or just a few components. Another thing they can do is explain if an enterprise takes certain actions on a database, then they should apply the patch. These things are not necessarily revealing to a hacker. A real hacker will find out from somewhere what to do to exploit a system.

Dig Deeper on Oracle database security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.