Java Mailing List Archive

http://www.dba.5341.com/

Home » Home (12/2007) » oracle-l »

Oracle security fixes are released between official cpu releases

Dree VeeWee

2007-07-25

Replies:

Hi list,
 
my finding is: Oracle security fixes are released between official cpu releases
 
not a big surprise really but it makes it even harder to define a database-vulnerability-protection policy that is supported by your businesses.  An easy cover-my-.ss approach is to publish alerts internally saying that oracle has released a CPU (like 5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 ) and that we HAVE TO apply this patch asap (after some sanity testing of course).
Is my job done then ? I believe not. But telling my organization that more security fixes will follow before the next cpu is released and they better be applied too doesn't help in getting this patch policy embraced and doesn't make my message popular amongst managers and DBA's who have to do the work.
 
I tried the bunkerview on a 10203 database which had patch 7 (6038241) applied which is also labeled as cpu APRIL 2007 and it failed. So looks like it was already fixed before Cpu July 2007 came out. That makes me believe that Oracle releases security fixes in between cpu's.
Below's the patch history on windows 32 it platform for 10.2.0.3 since cpu april 2007:

6116131 PATCH 8 WINDOWS 32 BIT 10.2.0.3 17-JUL-2007 (First Cpu July 2007)
6038241 PATCH 7 WINDOWS 32 BIT 10.2.0.3 05-JUL-2007
6012742 PATCH 6 WINDOWS 32 BIT 10.2.0.3 07-JUN-2007
5946186 PATCH 5 WINDOWS 32 BIT 10.2.0.3 19-MAY-2007
5948242 PATCH 4 WINDOWS 32 BIT 10.2.0.3 17-APR-2007 (First Cpu April 2007)

Without doubt this won't be a lot different on other platforms.

SQL> show user
USER is "HEK"
SQL> select * from user_sys_privs;

USERNAME                       PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
HEK                            CREATE SESSION                           NO
HEK                            CREATE VIEW                              NO

SQL> /
select x.name,x.password from sys.user$ x ..

                                  *
ERROR at line 2:
ORA-00942: table or view does not exist

These in between fixes are NOT picked up by grid control !

I am interested to hear stories from other Oracle customers.

regards,

Andre

 

©2008 dba.5341.com - Jax Systems, LLC, U.S.A.