Sentrigo Delivers Full Virtual Patching Coverage for Database Security Vulnerabilities Disclosed in Recent Oracle CPU

Business Wire, Oct 17, 2008

Sentrigo Database Security Experts Credited with Discovery of Two Recent Oracle Vulnerabilities, Including the Most Severe

WOBURN, Mass. -- Sentrigo, Inc., the innovator in database security software, today announced that within just two days of Oracle Corporation's October 14 release of the Oracle Critical Patch Update (CPU), it has updated its Hedgehog software to address all 15 Oracle database security vulnerabilities. These updates are now available to all Hedgehog vPatch[TM] and Hedgehog Enterprise[TM] customers who subscribe to virtual patching updates. Sentrigo's virtual patching software and rolling security updates comprise the only solution on the market today to address database vulnerabilities as soon as they're discovered, without requiring database downtime or application testing, giving database administrators a stop-gap solution until they can fully patch their databases, a process that often takes months.

The Sentrigo Red Team of database security researchers provides Hedgehog vPatch updates whenever it discovers new vulnerabilities and when database vendors such as Oracle and Microsoft issue security patches. Sentrigo's chief technology officer, Slavik Markovich, and researcher Guy Pilosof are credited by Oracle with the discovery of two of the most severe of the 15 vulnerabilities addressed by the recent Oracle CPU.

The first vulnerability, CVE-2008-3989, and the one gauged by Oracle to be the most severe addressed by the October 14 CPU with a CVSS score of 6.5, exists in the Oracle Data Mining option in the Oracle database. It may be exploited to perform a buffer overflow attack--a common approach to compromising databases that allows the attacker to damage the system in a way that denies availability to users, injects malicious content such as Trojan horses or viruses, or inserts false information.

In addition, Sentrigo reported CVE-2008-3992, also in Oracle Data Mining. This vulnerability may be exploited to perform a SQL injection attack, in which a malicious user injects crafted and unexpected input into an SQL statement that is later executed. Such statements may insert false information into the database, export sensitive information, or damage the availability of the database or associated applications, and are often used for privilege escalation that gives the attacker control of database functions.

"Sentrigo has built an absolutely world-class team of researchers who have been able to discover and report vulnerabilities, as well as to respond with lightning speed and to provide protection to our customers as soon as vulnerabilities are published," said Markovich. "Database administrators must keep current with patches issued by DBMS vendors and patch as soon as possible. But in the interim, Sentrigo's virtual patching solutions fill the gaps."

Sentrigo's Hedgehog vPatch is a subscription-based offering. It is part of the Hedgehog family of products--host-based, software solutions for real-time database activity monitoring, auditing and breach prevention, and is available for download and free evaluation from www.sentrigo.com.

About Sentrigo

Sentrigo, Inc. is a recognized innovator in database security. The company's Hedgehog software provides full-visibility database activity monitoring and real-time protection and has been rapidly adopted by Fortune 1000 companies to defend mission-critical data against insider misuse as well as outsider intrusion. Enterprises across industry sectors are also using Sentrigo Hedgehog to accelerate compliance with regulatory requirements such as PCI DSS, Sarbanes-Oxley and HIPAA. Sentrigo has won wide acclaim for its industry and technology leadership by publications such as Network World and SC Magazine. For additional information and to download Hedgehog, visit www.sentrigo.com.

Sentrigo, Sentrigo Hedgehog, Hedgehog IDentifier and the Sentrigo logo are trademarks of Sentrigo, Inc. All other trademarks are the property of their respective holders.