database – Network Security Blog

Examining the Current State of Database Security

Posted by amolsarwate in Qualys Technology, Security Labs, The Laws of Vulnerabilities on March 10, 2017

Considering that database systems hold extremely valuable and sensitive information, one would assume that most organizations would fiercely protect these “crown jewels” with great care. Unfortunately, that is not the case.

Throngs of databases in organizations worldwide are unsafe, at high risk of being breached by malicious hackers, rogue employees and crooked partners. This sorry state of database security puts financial data, customer information, health records, intellectual property treasures and more in grave danger.

Below we’ll discuss the two main causes for database security breakdowns — unpatched vulnerabilities and configuration errors — along with helpful tips for reducing the risk of database breaches.

No Comments
Permalink
Tags: configuration, data breach, database, patch, ransomware, vulnerability management

Oracle January 2017 CPU Fixes 270 Vulnerabilities

Posted by amolsarwate in The Laws of Vulnerabilities on January 17, 2017

Oracle kicked off the New Year with its first installment of the quarterly CPU (critical patch update) for 2017. The update contains fix for 270 security issues across wide range of products. The graph below shows distribution of the update. More than 100 vulnerabilities that were fixed could be compromised by a remote attacker without requiring any credentials. Most remote vulnerabilities could be exploited over the HTTP protocol.

No Comments
Permalink
Tags: cpu, database, mysql, oracle, patch tuesday, solaris

Oracle July 2016 Critical Patch Update

Posted by amolsarwate in The Laws of Vulnerabilities on July 19, 2016

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

No Comments
Permalink
Tags: cpu, database, GlassFish, mysql, oracle, peoplesoft, Siebel, solaris, Sun Blade, WEbLogic

Oracle April CPU 2014: Java Takes the Lion’s Share

Posted by amolsarwate in The Laws of Vulnerabilities on April 15, 2014

Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.

No Comments
Permalink
Tags: cpu, database, java, mysql, oracle, peoplesoft, solaris

Qualys Blog

Examining the Current State of Database Security

Oracle January 2017 CPU Fixes 270 Vulnerabilities

Oracle July 2016 Critical Patch Update

Oracle April CPU 2014: Java Takes the Lion’s Share