oracle patching issues

Posted on 2014-09-01
Last Modified: 2014-09-01
A 3rd party recently conducted a penetration test/vulnerability assessment which included oracle database servers with an underlying AIX IBM OS. The results of the test showed a number of missing patches on both platforms and recommended the patch management process for this software was looked into.

Our DBA has informed us they only patch at the instruction of of the application developers (often external to the organisation). Claiming if they apply patches  the application and application DB could be negatively affected. But at the same time not patching as it could break something also leaves security holes to sensitive data.

So in such cases – where is the middle ground? What should the DBA do to demonstrate they have flagged this issue and are doing all they can to keep software up to data and secure?
Question by:pma111
    LVL 34

    Accepted Solution

    There may be no middle ground.

    I had a situation where we had a similar audit.  The third party software is run and tested with a certain set of database patches.  If you deviate from that set of patches, they will not support the software and you are on your own.  Software support for the products that run your company are pretty important.

    In order to satisfy the audit, you should only need to tell the auditors that we have to keep the current patch levels to keep the support for the product.  You may need to produce a support agreement from the third party to show that.

    The violation essentially becomes a risk that you have to take.

    Depending on what the risk is, there may be other ways to mitigate it that the auditors will accept, but that is not always possible.  For example, if the risk is to external access, as long as the database server is on a network that has no external access, that should be a valid mitigation.  However, every auditor is different and they don't always accept that.

    You are the one in control of your environment.  Not the auditors.  I have had auditors say that certain things needed to be changed, but if you did what they said, Oracle would not support the database anymore (and they publish Metalink articles to show that) and in some cases, the database would cease to function properly.
    LVL 76

    Expert Comment

    by:slightwv (䄆 Netminder)
    Even though you already accepted an answer I wanted to share my 2 cents:
    Oracle is FAMOUS for introducing new bugs with their patches.  You can even undo previous patches with new ones if you have installed any one-off patches (not patchsets).

    I've lived this one.  I installed a one-off to fix bugA.  Later found bugB and they had a patch for that.  Well, the patch for bugB didn't have the fix for bugA so I was in a bug loop until a patchset came out.

    Here is what I've told our security folks when I've been told I'm behind in my patches:
    I will install whatever patch you order me to install but I will NOT stay past my normal working hours to fix any bugs/problems they introduce.

    In other words:  You all own the responsibility of me applying the patch.  I'll not work overtime or weekends to fix the problems YOU caused.

    I never hear back from them.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines
    This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now