As mentioned earlier, brute force (or non-brute force) cracking of weak passwords or default usernames and passwords, escalation of privileges, and exploiting vulnerabilities in unused and unneeded database services and functions. In this article we talk about exploiting unpatched database vulnerabilities.
The good news is that Oracle and other database vendors are indeed patching their vulnerabilities. The bad news is that units can't keep up with these patches, so they're always under the control of wily attackers trying to take advantage of some kind of opportunity.
Database vendors are always careful to avoid disclosing the details of the vulnerabilities their patches fix, but organizations still struggle with enormous manpower and time spent testing and applying a database patch. For example, patching a program requires that all applications affected by the patch be tested, which is a daunting task.
Yuhanna said, "The biggest problem is that most companies don't patch their programs in a timely manner, and one company told me they can only shut down their database once, take six hours to patch, and they run the risk of not patching because they can't. Shut down its operation."
Markovich said that in most Oracle databases running today, there are at least 10 to 20 known vulnerabilities that hackers could exploit to gain entry. "These databases are not patched, and if a hacker can compare versions and pinpoint exactly where the vulnerabilities are, then he can track the database," he said.
And some hacking sites have published exploit scripts for known database vulnerabilities, he said. Units should be patched even if it is extremely difficult to keep up with the patch cycle. For example, Oracle's April 15 patch contained 17 issues inside the database, he said. These and other patches should not be taken lightly. Every problem can destroy your database.