FAQ
[Oracle 10g Enterprise on AIX 5L]

Hi Everyone,

It's me the neophyte dba again...I'm eager to patch our db's from
10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
Critical patch. We have no db's in production yet and have three
vendors involved in this project. Internally, my request to patch our
existing dev db's is met with extreme caution. The concern being that
the vendors may or will not offer support if they haven't tested the
patch themselves. Is this a normal situation? Personally I agree that
we want have good relationships with the vendors, but I think they
have a responsibility to respond to critical patches (install test and
support to that level) in a timely manner.

To date I've informed my PM's that their is a critical patch for the
db's and that since July the vulnerabilities are now public knowledge.
Not sure if there's anything else I can or should do. Oh ya...I'm
documenting this to cma.

Any words of wisdom are greatly appreciated.

Brian Peasey

Search Discussions

  • David Sharples at Oct 19, 2005 at 8:57 am
    I agree with you, vendors (I am one myself) should within a reasonable
    amount of time apply updates and patches and test them to make sure they are
    ok.
    But you want to remain supported and its fair on the vendors to say you
    will run at the recommended level or cannot guarantee it will work properly
    Just push hard on the vendors and say you are repsonsible if my data gets
    hacked into. Might push them into gear then
    On 10/19/05, BP wrote:

    [Oracle 10g Enterprise on AIX 5L]

    Hi Everyone,



    To date I've informed my PM's that their is a critical patch for the
    db's and that since July the vulnerabilities are now public knowledge.
    Not sure if there's anything else I can or should do. Oh ya...I'm
    documenting this to cma.

    Any words of wisdom are greatly appreciated.
    --
    http://www.freelists.org/webpage/oracle-l
  • Mercadante, Thomas F (LABOR) at Oct 19, 2005 at 9:00 am
    Brian,

    Philosophically you are absolutely correct in everything you say.

    But getting software vendors to certify their stuff against a release of
    Oracle is a tough sell. They are only going to do it if they see their
    bottom line dropping out. I have the exact same issue with Curam
    software. Our current release (version 3.x) is only certified with
    Oracle 9.2.x. So we cannot go to Oracle 10g until Curam release 4.x is
    both available and wanted by our management team.

    You are right in putting pressure on them to move things along. But
    just be patient. Document the problem for your management and let them
    deal with it. Remember you are "just the DBA". This is a management
    issue.

    Good Luck.

    Tom

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    On Behalf Of BP
    Sent: Wednesday, October 19, 2005 9:25 AM
    To: Oracle-L
    Subject: Vendors supporting patch levels

    [Oracle 10g Enterprise on AIX 5L]

    Hi Everyone,

    It's me the neophyte dba again...I'm eager to patch our db's from
    10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
    Critical patch. We have no db's in production yet and have three
    vendors involved in this project. Internally, my request to patch our
    existing dev db's is met with extreme caution. The concern being that
    the vendors may or will not offer support if they haven't tested the
    patch themselves. Is this a normal situation? Personally I agree that
    we want have good relationships with the vendors, but I think they
    have a responsibility to respond to critical patches (install test and
    support to that level) in a timely manner.

    To date I've informed my PM's that their is a critical patch for the
    db's and that since July the vulnerabilities are now public knowledge.
    Not sure if there's anything else I can or should do. Oh ya...I'm
    documenting this to cma.

    Any words of wisdom are greatly appreciated.

    Brian Peasey

    --
    http://www.freelists.org/webpage/oracle-l
    --
    http://www.freelists.org/webpage/oracle-l
  • Paul Drake at Oct 19, 2005 at 9:09 am

    On 10/19/05, BP wrote:
    [Oracle 10g Enterprise on AIX 5L]

    Hi Everyone,

    It's me the neophyte dba again...I'm eager to patch our db's from
    10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
    Critical patch. We have no db's in production yet and have three
    vendors involved in this project. Internally, my request to patch our
    existing dev db's is met with extreme caution. The concern being that
    the vendors may or will not offer support if they haven't tested the
    patch themselves. Is this a normal situation? Personally I agree that
    we want have good relationships with the vendors, but I think they
    have a responsibility to respond to critical patches (install test and
    support to that level) in a timely manner.

    To date I've informed my PM's that their is a critical patch for the
    db's and that since July the vulnerabilities are now public knowledge.
    Not sure if there's anything else I can or should do. Oh ya...I'm
    documenting this to cma.

    Any words of wisdom are greatly appreciated.

    Brian Peasey
    Brian,

    The landscape is changing with respect to what an acceptable "time to
    apply" is these days. Its not uncommon to see the term "0day"
    mentioned in security-related articles. The holes are out there, some
    generally known exploit code is out there, some generally unknown
    exploit code is out there. What matters for your environment is going
    to depend upon what features you have deployed (e.g. you're not using
    spatial, intermedia and don't have those components installed) and who
    is permitted access to your database servers. If only your application
    servers have network access to the database servers, the risk of a
    sasser-type worm (slammer) affecting your db servers would be
    considerably less.

    Did you notice that in the Oct 2005 CPU, that the workaround column is blank?
    That's not entirely true. Metalink has notes on removal of options,
    such as spatial, if that option was installed but is not in use.

    Mitigation (e.g. revoke tab_priv grants from public) could be just as
    good as patching but it will likely require just as much testing.

    haven't had coffee yet today.

    Paul
  • Pass, Stephanie at Oct 19, 2005 at 9:16 am
    I think you all are missing something very important .... You are assuming that Oracle's patches will actually fix the security issues and ensure they are not still exploitable.

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org On Behalf Of Paul Drake
    Sent: Wednesday, October 19, 2005 8:07 AM
    To: brian.peasey_at_gmail.com
    Cc: Oracle-L
    Subject: Re: Vendors supporting patch levels
    On 10/19/05, BP wrote:
    [Oracle 10g Enterprise on AIX 5L]

    Hi Everyone,

    It's me the neophyte dba again...I'm eager to patch our db's from
    10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
    Critical patch. We have no db's in production yet and have three
    vendors involved in this project. Internally, my request to patch our
    existing dev db's is met with extreme caution. The concern being that
    the vendors may or will not offer support if they haven't tested the
    patch themselves. Is this a normal situation? Personally I agree that
    we want have good relationships with the vendors, but I think they
    have a responsibility to respond to critical patches (install test and
    support to that level) in a timely manner.

    To date I've informed my PM's that their is a critical patch for the
    db's and that since July the vulnerabilities are now public knowledge.
    Not sure if there's anything else I can or should do. Oh ya...I'm
    documenting this to cma.

    Any words of wisdom are greatly appreciated.

    Brian Peasey
    Brian,

    The landscape is changing with respect to what an acceptable "time to
    apply" is these days. Its not uncommon to see the term "0day"
    mentioned in security-related articles. The holes are out there, some
    generally known exploit code is out there, some generally unknown
    exploit code is out there. What matters for your environment is going
    to depend upon what features you have deployed (e.g. you're not using
    spatial, intermedia and don't have those components installed) and who
    is permitted access to your database servers. If only your application
    servers have network access to the database servers, the risk of a
    sasser-type worm (slammer) affecting your db servers would be
    considerably less.

    Did you notice that in the Oct 2005 CPU, that the workaround column is blank?
    That's not entirely true. Metalink has notes on removal of options,
    such as spatial, if that option was installed but is not in use.

    Mitigation (e.g. revoke tab_priv grants from public) could be just as
    good as patching but it will likely require just as much testing.

    haven't had coffee yet today.

    Paul
  • David Sharples at Oct 19, 2005 at 9:21 am
    not missing anything. Need to apply them and then test them to make sure
    they work as advertised.
    Cant just look at the README and decide if it works

    On 10/19/05, Pass, Stephanie wrote:

    >
    I think you all are missing something very important .... You are assuming
    that Oracle's patches will actually fix the security issues and ensure they
    are not still exploitable.
    --
    http://www.freelists.org/webpage/oracle-l
  • BP at Oct 19, 2005 at 11:46 am
    Thanks everyone.

    I've haven't opened any TAR's yet but can anyone tell me how Oracle
    Support reacts when reqeusting help with an unpatched server?

    Brian
  • Yavor Ivanov at Oct 19, 2005 at 11:56 am
    ��������They nag, but if you give stable-enough reason to be unpatched, they do
    the work. Just be enough talktive.

    Rgds
    Yavor
    On Wed, 19 Oct 2005 19:44:08 +0300, BP wrote:

    Thanks everyone.

    I've haven't opened any TAR's yet but can anyone tell me how Oracle
    Support reacts when reqeusting help with an unpatched server?

    Brian
    --
    Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

    --
    http://www.freelists.org/webpage/oracle-l
  • David Sharples at Oct 19, 2005 at 12:02 pm
    If it is a patchset and you have a bug which needs fixing, they will only
    fix it on the current patch set (which is fair enough)
    Thats about the only limitation of it, they wont refuse to help you or
    anything like that. They try to make you patch your server before diving
    into deeply but a short repsonse of NO usually helps there.
    The question - is this problem fixed in the patch set you are recommending
    usually makes them shut up (becuase if they cant say its fixed in a
    patchset, it isnt fixed)
    On 10/19/05, BP wrote:

    I've haven't opened any TAR's yet but can anyone tell me how Oracle
    Support reacts when reqeusting help with an unpatched server?
    --
    http://www.freelists.org/webpage/oracle-l
  • Paul Drake at Oct 19, 2005 at 12:42 pm

    On 10/19/05, BP wrote:
    Thanks everyone.

    I've haven't opened any TAR's yet but can anyone tell me how Oracle
    Support reacts when reqeusting help with an unpatched server?

    Brian
    Brian,

    There is a section in the form where you open an iTAR where it asks
    you to explain why the latest patchset has not yet been applied. By
    that, I do not believe that they mean the latest one-off patch - I
    believe that they mean the latest full patchset that is
    regression-tested. The one-off patches used to have boilerplate text
    of ~ "you must have located this via a specific bug" or something to
    that effect.

    If you're still running a base release at this point, you're going to get grief.

    Paul
  • Bob Murching at Oct 19, 2005 at 12:38 pm
    Depends a lot on the specific release in question.

    My experience has been that support generally is good so long as the major
    release is under support. If the TAR identifies a bug that's fixed in a
    later patchset, however, requesting backports can be a challenge. That
    rarely is a hill I want to die on, and I find that staying with the more
    recent patchsets (perhaps not every single one but every 3rd patchset
    depending on community feedback) is the path of least resistance.

    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org
    On Behalf Of BP
    Sent: Wednesday, October 19, 2005 12:44 PM
    To: Oracle-L
    Subject: Re: Vendors supporting patch levels

    Thanks everyone.

    I've haven't opened any TAR's yet but can anyone tell me how Oracle Support
    reacts when reqeusting help with an unpatched server?

    Brian
    --
    http://www.freelists.org/webpage/oracle-l

    --
    http://www.freelists.org/webpage/oracle-l
  • Pete Sharman at Oct 19, 2005 at 12:47 pm
    One side note that doesn't answer your question but may be worthwhile throwing out there anyway ...

    There is a group with Oracle itself whose whole purpose in life is to assist partners in upgrading their product to run on later releases. Normally this is more for things like upgrading from 9i to 10g, or single instance to RAC, than from 10.1.0.2 to 10.1.0.4 though.



    Pete


    "Controlling developers is like herding cats."
    Kevin Loney, Oracle DBA Handbook


    "Oh no, it's not. It's much harder than that!"
    Bruce Pihlamae, long-term Oracle DBA
    -----Original Message-----
    From: oracle-l-bounce_at_freelists.org On Behalf Of BP
    Sent: Wednesday, 19 October 2005 11:25 PM
    To: Oracle-L
    Subject: Vendors supporting patch levels

    [Oracle 10g Enterprise on AIX 5L]

    Hi Everyone,

    It's me the neophyte dba again...I'm eager to patch our db's from
    10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
    Critical patch. We have no db's in production yet and have three
    vendors involved in this project. Internally, my request to patch our
    existing dev db's is met with extreme caution. The concern being that
    the vendors may or will not offer support if they haven't tested the
    patch themselves. Is this a normal situation? Personally I agree that
    we want have good relationships with the vendors, but I think they
    have a responsibility to respond to critical patches (install test and
    support to that level) in a timely manner.

    To date I've informed my PM's that their is a critical patch for the
    db's and that since July the vulnerabilities are now public knowledge.
    Not sure if there's anything else I can or should do. Oh ya...I'm
    documenting this to cma.

    Any words of wisdom are greatly appreciated.

    Brian Peasey

    --
    http://www.freelists.org/webpage/oracle-l

    --
    http://www.freelists.org/webpage/oracle-l

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouporacle-l @
categoriesoracle
postedOct 19, '05 at 8:26a
activeOct 19, '05 at 12:47p
posts12
users8
websiteoracle.com

People

Translate

site design / logo © 2022 Grokbase