Sentrigo Updates Hedgehog Software Addressing Oracle Database Security Vulnerabilities

Sentrigo Inc., considered an innovator in database security software, has announced that within just two days of Oracle (News - Alert) Corporation’s October 14 release of the Oracle Critical Patch Update (CPU), it has update its Hedgehog software to address all 15 Oracle database security vulnerabilities.

All Hedgehog vPatch and Hedgehog Enterprise customers will now have access to these updates if they subscribe to virtual patching updates. This virtual patching software and rolling security updates make up what Sentrigo positions as the only solution on the market today to address database vulnerabilities as soon as they as discovered.

These patches and solutions can be integrated without database downtime or application testing. As such, the database administration has a stop-gap solution until they can fully patch their databases, a process that often takes months.

 

Hedgehog vPatch updates are provided by the Sentrigo Red Team of database security researchers when it discovers new vulnerabilities and when database vendors such as Oracle and Microsoft (News - Alert) issue security patches.

Oracle has credited Sentrigo’s chief technology officer, Slavik Markovich and researcher Guy Pilosof with the discovery of two of the most severe of the 15 vulnerabilities addressed by the recent Oracle CPU.

The Oracle Data Mining option in the Oracle database includes the first vulnerability, CVE-2008-3989, and the one gauged by Oracle to be the most severe addressed by the October 14 CPU. This particular CPU had a CVSS score of 6.5.

This severe CPU may be exploited to perform a buffer overflow attack as this is a common approach to compromising databases that allows the attacker to damage the system in such a way that it denies availability to users, injects malicious content such as Trojan horses or viruses, or inserts false information.

Sentrigo also reported CVE-2008-3992, which is in Oracle Data Mining. This vulnerability may be exploited to perform a SQL injection attack, one in which a malicious user injects crafted and unexpected input into an SQL statement that is later executed. “

Such statements may insert false information into the database, export sensitive information, or damage the availability of the database or associated applications, and are often used for privilege escalation that provides the attacker with control of database functions.

“Sentrigo has built an absolutely world-class team of researchers who have been able to discover and report vulnerabilities, as well as to respond with lightning speed and to provide protection to our customers as soon as vulnerabilities are published,” said Markovich, in a Friday statement.

“Database administrators must keep current with patches issued by DBMS vendors and patch as soon as possible. But in the interim, Sentrigo’s virtual patching solutions fill the gaps.””

The Hedgehog vPatch from Sentrigo is a subscription-based offering and is part of the Hedgehog family of products. This suite includes host-based, software solutions for real-time database activity monitoring, auditing and breach prevention, and is available for download and free evaluation.

While Oracle database solutions provide significant functionality to the enterprise, they can cause considerable damage if they are vulnerable to attacks. Sentrigo has made its mark in the industry and with Oracle by identifying vulnerabilities and making sure that clients have easy access to the fixes necessary to protect their database and their information.