Contact
QR code for the current URL

Press release Box-ID: 381126

Imperva Inc. 3400 Bridge Parkway, Suite 101 94065 Redwood Shores, CA, United States http://www.imperva.com
Contact Ms Darshna Kamani +44 20 7183 2834
Company logo of Imperva Inc.
Imperva Inc.

Imperva CTO comments on Impact of Oracle Critical Update of 85 Vulnerabilities

(PresseBox) (Redwood Shores, CA, )
Last night Oracle released a major critical patch update that fixed 85 new security issues, four of which were discovered initially by Imperva, all 85 are protected by Imperva's technology. Below is a comment from Imperva's CTO, Amichai Shulman on the patch and what system admins need to be wary about:

"Oracle contains some built-in packages, Imperva's ADC team members, myself and Yaniv Azaria, have found one of these packages vulnerable to three different types of attacks. The malicious individual would have been able to exploit the vulnerabilities in order to achieve one of the following attack goals:

a. Privilege elevation - using SQL injection

b. Changing the status of an existing Oracle job to the system

c. Submitting a new Oracle job to the system

This latest patch from Oracle is very extensive and will need a complex process to be put into place by system admins to ensure that the patches are prioritized, tested and deployed correctly while ensuring nothing else in their systems has been affected.

The bigger the patch, the more complex the process - Successfully implementing a patch requires the following stages:

a. Assessing the exploits as mentioned in the patch. This includes understanding the details of the exploit, whether it is applicable to the enterprise, and how an attack would affect the systems.

b. Assessing the process of patching the system with the Oracle CPU. For example, how a patch would affect the system. At times a patch may be contradictory to an already existing code, or it may open some work-around. All this must first be assessed.

c. Assessing system downtime. The patching requires a system downtime where the database server cannot provide service to users in order to patch it. It is required to understand who is affected by the downtime and how long the service is not available.

d. Patching the enterprise's system. A process is required to be put in place, esp. in enterprises which deploy hundreds of databases. This includes creating a timeline, prioritizing the databases in the order they should be patched, and reviewing the system all along. For instance, if the patch happened to break some feature, then returning to fix the system and making sure that future patching will not cause the same error.

This process should not be taken lightly. For many organizations, the process of patching lasts a few months - mainly between 3-6 months. DBAs, system and IT admins, developers - all these play a role in the patching process. As resources and time are constrained servers are left vulnerable for months after the release of a patch. Of course, the addition of more patches to different parts of the system - such as when MS patches pertain to servers, just adds complexity to the patching process.

As the process to deploy these patches can take a long time, Organisations need to ensure they are protected from these vulnerabilities even before patches are deployed by using other security products such as database activity monitoring tools."

If you would like any further information, or would like to speak to Amichai on the Oracle patch, please contact me on 44 207 183 2834 or email darshna@eskenzipr.com
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.
Important note:

Systematic data storage as well as the use of even parts of this database are only permitted with the written consent of unn | UNITED NEWS NETWORK GmbH.

unn | UNITED NEWS NETWORK GmbH 2002–2022, All rights reserved

The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material. The use of information published here is generally free of charge for personal information and editorial processing. Please clarify any copyright issues with the stated publisher before further use. In case of publication, please send a specimen copy to service@pressebox.de.