Oracle™ Patches

There are people who have dedicated their careers to finding exploitable features in Oracle software. The good news is that some of them report these vulnerabilities so they can be fixed. The bad news is that the others are quietly using these vulnerabilities to obtain data. Vulnerabilities are discovered and reported on a regular basis. These vulnerabilities are documented on Web sites such as red-database-security.com, http://www.sans.org, http://www.cert.org and http://www.us-cert.gov.

According to Oracle CSO, Mary Ann Davidson, vulnerabilities are first fixed in the upcoming version of the software. Next they begin developing patches for older releases. Once a version has been "de-supported", Oracle no longer provides patches, but this does not mean that the older releases aren't vulnerable. It is very important to keep your Oracle software at a version that is still under support.

It has been reported that the vast majority of attacks occur after a patch has been released. This is because a patch release tends to attract attention to the vulnerabilities being patched. Oracle database customers are notoriously slow about patching the DBMS, because they don't want to take an outage. This policy leads to a "Pay me now, or pay me later" scenario, where the DBA team is betting that their database customers will be better served by keeping the database up and running, than by applying the security patches. Since there have been no widespread attacks on Oracle databases, DBAs can be lulled into a false sense of security.

Oracle bundles patches into "patch sets", which are issued periodically as updates to the major release. Critical security patches that cannot wait for a patch set are bundled and released on a quarterly basis for all Oracle software products. Critical patch updates, or CPUs are issued in January, April, July and October. Armed with this information you should plan outages for February, May, August and November. If you can't tolerate four production outages in a year, apply the CPUs to your development environment, and plan for two production outages. The CPUs are comprehensive, so applying the April CPU includes the January patches.

The critical patch updates can be downloaded from Oracle's Metalink Web site, along with installation instructions and pre-requisites. Details on available and upcoming security-related patches may be found at http://www.oracle.com/technology/deploy/security/alerts.htm.

The DBMS isn't the only Oracle™ software vulnerable to exploitation. Be sure to apply critical patch updates to Oracle™ client installations, too.

Links to more information about patches