2 0 1 5 year database vulnerability threat report-vulnerability warning-the black bar safety net

ID MYHACK58:62201570536
Type myhack58
Reporter 佚名
Modified 2015-12-30T00:00:00


The Internet is like air, thoroughly integrated into our lives. So we become accustomed to more and more data is stored online in exchange for more convenient service. However, the ensuing security incidents invariably make people shocking. Memories 2 0 1 5 year the whole year the occurrence of data leak events, 2 0 1 5-year January machine front Forum including username, email, encrypted password 2 3 0 0 million users of information leakage. Then the domestic 1 0 multi-family property a lot of customers Open House information leakage, Chinese Cantonese life 10W warranty leakage, barley network 6 0 0 million user information and Netease mailbox over million user information leak...... A series of information leakage incidents are all your tenterhooks. Cover the nest under the Ann has finished the eggs, the world's second largest bitcoin Trading Site Bitstamp was hacked, the new banking Trojan Emotet steal a German national banking certificate, even has always been to secure well known Swiss Bank in the world of the Internet it is difficult to escape the hacking nightmare. Database vulnerability research origin Big data era, various industry data amount BT has to grow. The database is widely used in a variety of new scenarios, in some scenarios facing security threats is database of existing security mechanisms cannot Guard. Can see is: a database of excellent performance and behind the security mechanisms become a sharp contrast. Although database security design initial is in accordance with the U.S. Department of Defense standards, but those safety standards and the reality of safety significance has the very big difference. Even though most of the commercial databases have Passed safety standards inspection, but with the function of development and deployment in hazardous environment, the safety of short Board becomes its“Achillion's heel” is. 1 9 9 6 years beginning database security into the security team perspective, the same year 4 month Oracle is the disclosure of the first vulnerabilities start with the new version and new features of the emergence of vulnerability was a shock growth trend. 2 0 1 4 in the year is disclosed in each of the large database vulnerability up to 1 2 9. ! Figure 1.1 2 0 1 1-2 0 1 5 mainstream database vulnerability number This year is off to a 2 0 1 5 year 1 2 month early is to confirm the database vulnerability a total of 7 6, 2 0 1 4 declined by 5 3, The reduction in reach 4 1 percent. This with the big database companies to develop their own code audit tool are inextricably linked to. 2 0 1 5 year of the vulnerability distribution ! ! Figure 1.2 2 0 1 5 year database vulnerability distribution This year exposed the 7 6 database vulnerabilities, MySQL vulnerabilities the number of occupied year-round vulnerability of the total number of 6 2%, for a total of 4 7. Vulnerability is concentrated mainly in 5. 5 and 5. 6 The two mainstream versions. Anwar gold and database security attack and Defense laboratories through the analysis found that MySQL 4 7 vulnerabilities are scattered in the 1 2 a MySQL component and an unknown component. The well-known MySQL is a easy to dismantle and FIT lightweight database, and thus 1 2 a component in a lot of non-essential components. For example to say innoDB there is a 6-a vulnerability, if your business does not need innoDB,then it is recommended to disable innoDB to use.

! Figure 1.3 the MySQL vulnerability distribution Assembly Therefore, we recommend to use MySQL for the company, groups and individuals in a timely manner to their own MySQL database for patch upgrades. Have R & D capabilities of the unit best of the MySQL source code audit, fix one of the problems. Off with their own business-independent components, and compile a suitable for their own application needs the customized MySQL. The same Oracle database is also broke 1 of 4 vulnerability, ranking second. These vulnerabilities focused on java VMS, XDB and Core RDBMS. The Core RDBMS is the Oracle database of the most core components in windows to an Oracle. exe process appears, while under Linux it is divided into a plurality of processes, which are responsible for different functions, in order to ensure that Oracle database is running normally. The Java VM is a java virtual machine is responsible for running Oracle in the Java code, for example, Oracle's graphical installation program. XDB vulnerability often comes in the XDB, is responsible for the processing of XML components. XDB has 2 external port is HTTP and FTP. This 2 port regularly to the database to bring buffer overflow vulnerability—a without authentication of high-risk vulnerabilities. ! Figure 1.4 Oracle distribution Assembly However, Oracle database vulnerabilities perennial high with its own complex logic are inseparable. ! Figure 1.5 2 0 1 5 year database vulnerability—according to the manufacturer's classification 2 0 1 5 years of Oracle vulnerabilities accounted for the total vulnerability count of 8 to 3%. This with it's two database occupy the market share and support the function complexity has a close relationship. We should know, the manufacturers of the product of the number of vulnerabilities not only with the product itself safety related, but also with the manufacturer Product Number, product complexity, by researchers concerned about the degree and other factors. Therefore, we cannot simply believe that disclosure of vulnerabilities the greater the number of manufacturers of products the greater the insecurity. In fact, the Oracle whether it is performance or safety in the industry who are in the forefront. 2 0 1 5 year database vulnerabilities threat type The vulnerability according to its degree of harm is divided into: high risk vulnerability, medium risk vulnerabilities low risk vulnerabilities in three categories. 2 0 1 5 year 7 mainstream database in the presence of high-risk vulnerabilities. ! Figure 1.6 2 0 1 5 year database vulnerability—according to the level of threat classification Wherein the high-risk vulnerabilities accounted for vulnerability of the total number of 1 2%, medium-risk vulnerabilities number occupy up to 5 8%, low threat vulnerability accounted for 3 0 percent. ! Figure 1.7 the threat level scale 1 2% of high-risk vulnerabilities will be Anwar gold and the focus of attention. So advice: high-risk vulnerabilities must be timely treatment. In some specific cases of low-risk, medium-risk vulnerabilities will also reach high-risk vulnerability is the degree of harm, so for the low-risk vulnerabilities timely repair. 2 0 1 5 year database exploit trends

[1] [2] next