Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Why does the parameter count change"] [Next entry: "Oracle release the January 2008 CPU patch"]

Sentrigo release a study of how many people apply a CPU

Disclaimer:- Limited is a UK Channel Partner for Sentrigo Hedgehog.

Today Sentrigo have released a short press statement titled Survey of Oracle Database Professionals Reveals Most Do Not Apply Security Patches that discusses their findings over the last few months of taking a poll at various Oracle conferences and user groups. The results are shocking:

"This survey scares the heck out of me," said Mike Rothman, president and principal analyst, Security Incite. "The database is where most of an organization's critical and regulated data resides and if it's not patched in a timely fashion, organizations are asking for trouble."

But from my perspective not shocking as I talk to lots of my own customers (usually the discussion comes around to patching and CPU's) and also lots of Oracle's customers at various conferences and user groups that i attend. The recent round table at the UKOUG spent most of the time discussing the same subject and the feeling there was the same, that only a very small percentage of people install a CPU within the quarter (perhaps 1 - 5%), a slightly larger percentage do apply CPU's but usually not within the quarter. The worst figure is that around 80% never apply a CPU at all, although in my experience I come across a strange phenomina in this area that i find databases where a CPU has been applied but its perhaps 2 years old. This indicates to me that there was some effort in this area but then the company "gave up".

Sentrigo found that 10% of respondents had applied the latest CPU. There is some lag here though in that this could span two quarters so the figure may be worse. Then they found that 67.5 respondents had never applied a CPU.

There are companies out there who buck the trend (you know who you are!) and do apply CPU's consistently and to large numbers of databases successfuly and within around one quarter. It is possible and it can be done reliably.

I am starting to get the impression from talking to a lot of people that the issue has become psycological, a lot of companies beleive its difficult, that it will fail and that everything in the organisation needs to be regerssion tested. Remember that Oracle do re-release patches after a lot of feedback from customer applications and they do fix bugs found.

Patching should be easier (physically and on the mind!), afterall most people let Windows download and update automatically (Please don't take that as an indication that I think Oracle databases can be patched authomatically like Windows - I don't!) but the process can become easier.

As Slavik said, tools like Sentrigo's Hedgehog can provide an additional layer of security until you patch or for un-supported databases.

There has been 3 Comments posted on this article

January 14th, 2008 at 09:31 pm

Pete Finnigan says:

David Litchfield recently estimated that there are about 148,000 Oracle database servers listening on the internet with the default port.

If both Litchfield's and Sentrigo's estimates are accurate, that definately sounds like the right conditions for the next worm or mass exploitation, don't you think?

January 16th, 2008 at 02:26 am

Pete Finnigan says:

Hi Pete,
While I agree that not applying the CPU's is a bad practice, I can't say as I am all that surprised at the result. The CPU's are complicated to wade through, and not regression testing them in your environment is one gigantic mistake. I think it's a bit much to think that we should all just rush right out and apply the latest CPU. Nobody wants to be the customer that finds the bug in the CPU, and no DBA wants to be the one who is waiting on a fix for the CPU that they hopped right on and applied.
In the security world it's OK to say "you must apply these patches", but in the real world of deadlines and multiple responsibilities patch application must be juggled and weighed with other factors, like downtime and risk assessment.
One more thing, Not that I think Sentrigo is slanted or anything, but I really hate to see a study released that says "Oracle DBA's aren't patching" and then they turn around and say "BTW, we have a product that can help with that". If I'm really security concious wouldn't that make you wonder?

January 16th, 2008 at 09:33 pm

Pete Finnigan says:


I am not surprised by the results either. I have experience of talking to a lot of people who reflect the same feelings of this survey. I wasnt trying to suggest that people should treat Oracle like Windows update but was trying to suggest that Oracle updates should be easier than they are now both on the mind and actually technically. I agree that regression testing cannot be ignored but there has to be easier methods for people to apply CPU's quicker and easier. Maybe this is just a committment from Oracle that any bugs located in a CPU will be treated with the highest priority and fixed; not left for the next CPU. Also as I chatted about with people at the UKOUG recently maybe Oracle should have some "mega" internal regression test suite that exercises avery part of the Oracle software so that for every CPU it can be regression tested internally and the output can be compared to the basline in terms of functionallity, peformance and ??