I think you all are missing something very important .... You are assuming that Oracle's patches will actually fix the security issues and ensure they are not still exploitable.
From: oracle-l-bounce_at_freelists.org On Behalf Of Paul Drake
Sent: Wednesday, October 19, 2005 8:07 AM
Subject: Re: Vendors supporting patch levels
On 10/19/05, BP wrote:
[Oracle 10g Enterprise on AIX 5L]
It's me the neophyte dba again...I'm eager to patch our db's from
10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
Critical patch. We have no db's in production yet and have three
vendors involved in this project. Internally, my request to patch our
existing dev db's is met with extreme caution. The concern being that
the vendors may or will not offer support if they haven't tested the
patch themselves. Is this a normal situation? Personally I agree that
we want have good relationships with the vendors, but I think they
have a responsibility to respond to critical patches (install test and
support to that level) in a timely manner.
To date I've informed my PM's that their is a critical patch for the
db's and that since July the vulnerabilities are now public knowledge.
Not sure if there's anything else I can or should do. Oh ya...I'm
documenting this to cma.
Any words of wisdom are greatly appreciated.
The landscape is changing with respect to what an acceptable "time to
apply" is these days. Its not uncommon to see the term "0day"
mentioned in security-related articles. The holes are out there, some
generally known exploit code is out there, some generally unknown
exploit code is out there. What matters for your environment is going
to depend upon what features you have deployed (e.g. you're not using
spatial, intermedia and don't have those components installed) and who
is permitted access to your database servers. If only your application
servers have network access to the database servers, the risk of a
sasser-type worm (slammer) affecting your db servers would be
Did you notice that in the Oct 2005 CPU, that the workaround column is blank?
That's not entirely true. Metalink has notes on removal of options,
such as spatial, if that option was installed but is not in use.
Mitigation (e.g. revoke tab_priv grants from public) could be just as
good as patching but it will likely require just as much testing.
haven't had coffee yet today.