Solved

Oracle RDBMS security patch reports

Posted on 2013-01-15
8
463 Views
Last Modified: 2013-01-30
Aside from using costly commercial vulnerability scanners, are there any easy techniques to produce a management friendly report on what security patches are missing from an Oracle 11g database? Or better still to produce a “fully security patched” type assurance report to management.

Could you provide simple steps to get to the report, or direction to a sample report?
Also, excuse my ignorance, but I have heard systems administrators say they often fall behind on database security patches as they are concerned applying the patch could cause issues with the proper functioning of the application, is this a valid concern or a load of nonsense? Have you ever applied a security patch that has had an unfortunate knock on effect on the application that it drives.

Please keep answers simple to a non DBA/management freindly.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 250 total points
ID: 38778623
>>what security patches are missing from an Oracle 11g database

I don't know of a way to produce a list of missing patches.  Maybe another Expert will know a way.

You can get a list of applied patches with: opatch lsinventory

>>patch could cause issues with the proper functioning of the application

Sadly, this is accurate.  Oracle patches can, and do, introduce new bugs.

I have this same exact 'debate' with our Security folks all the time because I don't patch my databases just because Oracle releases a patch.

They typically back off when I state:  I'll apply whatever patch you direct me to but will not be responsible for what it breaks.

You need to apply Oracle patches in a test environment and test, test ,test.
0
 
LVL 3

Author Comment

by:pma111
ID: 38778647
are the release of security patches pretty common for 11g?

Could you give a rough indication of how many security related patches are released per year?
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38778696
You can take a look at:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Now the fun:  I'm not sure what Oracle considers a 'Security' patch over a normal patch that might 'fix' a vulnerability.  I've never taken the time to dive into that end of the pool.

Hopefully another Expert will be along soon that can help shed some light on this topic.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Author Comment

by:pma111
ID: 38778706
Ok, thanks for your help so far though...
0
 
LVL 37

Assisted Solution

by:Geert Gruwez
Geert Gruwez earned 250 total points
ID: 38778819
>>>You need to apply Oracle patches in a test environment and test, test ,test.
after applying to a production database: pray, pray, pray
and if it does break: patch, patch, patch

every 3 months there is an "planned"  patch.
however any customer can ask for a fix which can lead to a patch.

for the report
> what patch is your database on now ? for example: 11.2.0.3 patch #10 from september
> what patch is the latest for that database version 11.2.0.3 ?
list all of the cve in slightwv's comment:

Security Alert Number And Description       Latest Version/Date
>>>> Alert for CVE-2013-0422       Rev 1, 13 January 2013
Alert for CVE-2012-4681       Rev 1, 30 August 2012
Alert for CVE-2012-3132       Rev 1, 10 August 2012
Alert for CVE-2012-1675       Rev 1, 30 April 2012

The Alert for CVE... describes all the vulnerability problems the databases prior to that version have.
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38778838
>>after applying to a production database: pray, pray, pray

I second that statement!

I have had things to beautifully in test only to break once it hits production.  It's impossible to test for everything...

Oracle is famous for rolling out some pretty major rewrites of code in what is considered a minor patchset.

For example from 10.2.0.3 to 10.2.0.4 a TON of their XML stuff was basically new code (which means, basically untested).  Of course, they will never tell you this...
0
 
LVL 3

Author Comment

by:pma111
ID: 38778910
"for the report
> what patch is your database on now ? for example: 11.2.0.3 patch #10 from september
> what patch is the latest for that database version 11.2.0.3 ?"

How can you see "what patch your database is on now?", and "what patch is the latest for that version"?
0
 
LVL 77

Expert Comment

by:slightwv (䄆 Netminder)
ID: 38778927
>>How can you see "what patch your database is on now?",

re: http:#a38778696

You can get a list of applied patches with: opatch lsinventory

>>and "what patch is the latest for that version"?

The latest alerts and vulnerabilities should be posted on the link I provided in the first post.

For all patches:  The only way I know if is log into Oracle Support and select your database version and platform.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shell script to create broker configuration file using current broker Configuration, solely for purpose of backup on Linux. Script may need to be modified depending on OS-installation. Please deploy and verify the script in a test environment.
Lotus Notes has been used since a very long time as an e-mail client and is very popular because of it's unmatched security. In this article we are going to learn about  RRV Bucket corruption and understand various methods to Fix "RRV Bucket Corrupt…
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question