Databases Are Vulnerable

At any time, hundreds of known vulnerabilities exist in the DBMSs from multiple vendors, across the different versions from each. Despite that fact, patches that can provide protection are often not deployed. While the reasons are understandable, unpatched databases still present a tempting target.

Installing Vendor Patches is Difficult, Time Consuming and Disruptive

Patching constitutes an update to the DBMS kernel, which requires database downtime. Since many organizations run on a 24x7 cycle, taking down a database for the purpose of patching just isn’t a viable option.

Still, the threat remains. The very complexity of databases makes them especially susceptible to attack, providing multiple points of entry for unauthorized users and intruders and leading to attacks that can open the doors for data theft on a very large scale. And the fact that these very databases typically hold an organization’s most valued and highly sensitive information makes them a very attractive target.

Exploits published on the Web can enable even less skilled users to hack into the database and own it by using privilege escalation, and attack vectors such as SQL injection and buffer overflow.

Severe vulnerabilities even allow remote access by unauthenticated users, for example, those who are on remote IP addresses and have no database login credentials at all. With so many known risks for DBMSs across so many vendors and versions, it seems unthinkable that databases would be left unpatched. But they are.