Oracle patches are coming (not that DBAs care)

Oracle patches are coming (not that DBAs care)

Summary: Oracle has another batch of quarterly patches coming, but it's unlikely that database administrators will give a hoot.That's the primary takeaway from a survey by Sentrigo, a security software firm focused on databases.

SHARE:
TOPICS: Oracle
4

Oracle has another batch of quarterly patches coming, but it's unlikely that database administrators will give a hoot.

That's the primary takeaway from a survey by Sentrigo, a security software firm focused on databases. Sentrigo is best known for its Hedgehog software.

According to Sentrigo's rolling survey of Oracle Users Group meetings one in 10 DBAs regularly apply critical Oracle patches. Meanwhile, two-thirds of Oracle DBAs have never applied critical Oracle patch updates.  In other words, no one gives a rat's tail about Oracle's latest batch of patches on deck.

The survey is based on a limited sample--305 Oracle users amid thousands of database customers--but the findings are worrisome (not to mention timely). Would it kill DBAs to apply quarterly patches? Apparently.

The big issue: If these survey results are even half on target that means there are a lot of unsecured databases out there. And given the database is the biggest honey pot out there Sentrigo's findings may flag problems ahead.

Topic: Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Maybe if Oracle made the findable

    Oracle has to have the worst patch tools I've ever seen. Try finding a patch they send out a notice for. They even give you link and it's useless.
    voska1
  • Application Certification problems

    In my experience, most application providers that require an Oracle backend only certify (and therefore support) their application if it is running a very specific, and narrow, range of Oracle versions and patch revisions. This makes applying patches rather problematic.

    For in-house software the whole validation process coupled with the resource-challenged development departments usually makes patches an added headache. The perceived risk of not applying a patch versus the cost and time involved to apply nearly always results in patches being skipped.
    james@...
  • RE: Oracle patches are coming (not that DBAs care)

    I used to work for Oracle and Oracle patches are really application and database specific. You, the DBA, needs to find out which patch fits your need and then apply them. We had staging servers for this purpose so if a patch broke a DB then we can fix it without affect the production servers. However not everyone can afford a staging servers that can duplicate the production environment. These patches are NOT user friendly so I understand why DBAs are hesitant about install these patches.
    phatkat
  • RE: Oracle patches are coming (not that DBAs care)

    Oracle needs to overhaul their entire patching system. The whole patching system is convoluted and buggy at best (case in point: the whole Daylight Savings patching debacle). The very fact that the large majority of Oracle's patches end up breaking something else (because of that OTHER patch you had to run before hand that they didn't tell you about until you got the error message from the later patch) and the fact that your average company simply cannot afford to create a staging environment that COMPLETELY mirrors production makes the cons of patching out-weigh any benefit protection from a perceived security threat. It actually ends up being more cost-effective in the long run to invest in a decent IPS/IDS system and to leave your Oracle DB alone when it works.
    sirwombat