Is Poor Security Hygiene Rampant?

This on the eve of the release of a quarterly Critical Patch Update: Evidence that suggests two-thirds of Oracle DBAs may not bother themselves with applying security patches.

The sample involved is a small one (some 300 people), but the alarm bells should go off nonetheless.

Does this appear to be an accurate estimate? Interested in your thoughts.


Database Server patches have been stable and easy to apply over the years. On the other hand, the Applications stack has been the worst God awful mess to patch/update in any way. Every Oracle Applications patch is an exercise in job-threatening brinkmanship.

Posted by Michael O on January 14, 2008 at 01:05 AM PST #

I don't think I'm a security czar, but I am more interested in security than many of the people/customers I talk with. Based on my consulting experiences, I'd say that the figured cited are about right. I also think that DBs and app servers are treated quite differently when it comes to security. It seems that many places are more interested in application server security than DB security mainly because DBs usually sit inside a firewall or two while app servers are closer to the edge of the corporate network. Even so, I'd still say that more than 50% of the (Oracle) app server installations I encounter have never had CPUs applied. Worse yet, it isn't a conscious decision to not apply them--they usually don't know that the CPUs exist.

Posted by Dan Norris on January 14, 2008 at 01:19 AM PST #

In my shop, we get it done. It usually takes at least a quarter or two, mostly due to the complexity of the CPUs and the high level of extensions in our Apps environment, but we do eventually get it done.

Posted by Floyd on January 14, 2008 at 04:39 AM PST #

Hi Justin, Every UKOUG event I have been to where this has come up produces at *most* 20% (and probably a lot less) of people applying the CPU. Partly I think there is the feeling oh it's behind the firewall it safe, but also there really is a trade off between availability and applying the CPU it, as far as I'm aware cannot be done fully online. We have laid out the $$ for RAC to maximise our uptime, you are then setting the certainty of downtime against a theoretical risk of compromise, sometimes that stacks up in favour of not applying. Also, personally I prefer applying full patchsets, so question to you, will the much delayed have the january CPU rolled into it? regards, jason.

Posted by jason arneil on January 14, 2008 at 10:34 AM PST #

We will apply the CPU patches if it is determined that we have the potential for any of the vulnerabilities. Consequently, we have been rather religious on applying the patches on all of our database server.

Posted by Carol D on January 14, 2008 at 06:52 PM PST #

I think that the percentage of those applying CPU's depends on the type of industry application. It's the old adage, "If it ain't broke, don't fix it". Some risk averse shops (banks, financial institutions) are reluctant to apply patches because of the possibility (however remote) that there will be changes to their production environment. These types of shops must do extensive testing whenever they make a change, and some prefer to wait for thenext release. . . .

Posted by Donald K. Burleson on January 15, 2008 at 03:40 PM PST #

Post a Comment:
  • HTML Syntax: NOT allowed