Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


oracle patching issues

Posted on 2014-09-01
Medium Priority
Last Modified: 2014-09-01
A 3rd party recently conducted a penetration test/vulnerability assessment which included oracle database servers with an underlying AIX IBM OS. The results of the test showed a number of missing patches on both platforms and recommended the patch management process for this software was looked into.

Our DBA has informed us they only patch at the instruction of of the application developers (often external to the organisation). Claiming if they apply patches  the application and application DB could be negatively affected. But at the same time not patching as it could break something also leaves security holes to sensitive data.

So in such cases – where is the middle ground? What should the DBA do to demonstrate they have flagged this issue and are doing all they can to keep software up to data and secure?
Question by:pma111
LVL 35

Accepted Solution

johnsone earned 2000 total points
ID: 40296577
There may be no middle ground.

I had a situation where we had a similar audit.  The third party software is run and tested with a certain set of database patches.  If you deviate from that set of patches, they will not support the software and you are on your own.  Software support for the products that run your company are pretty important.

In order to satisfy the audit, you should only need to tell the auditors that we have to keep the current patch levels to keep the support for the product.  You may need to produce a support agreement from the third party to show that.

The violation essentially becomes a risk that you have to take.

Depending on what the risk is, there may be other ways to mitigate it that the auditors will accept, but that is not always possible.  For example, if the risk is to external access, as long as the database server is on a network that has no external access, that should be a valid mitigation.  However, every auditor is different and they don't always accept that.

You are the one in control of your environment.  Not the auditors.  I have had auditors say that certain things needed to be changed, but if you did what they said, Oracle would not support the database anymore (and they publish Metalink articles to show that) and in some cases, the database would cease to function properly.
LVL 78

Expert Comment

by:slightwv (䄆 Netminder)
ID: 40297377
Even though you already accepted an answer I wanted to share my 2 cents:
Oracle is FAMOUS for introducing new bugs with their patches.  You can even undo previous patches with new ones if you have installed any one-off patches (not patchsets).

I've lived this one.  I installed a one-off to fix bugA.  Later found bugB and they had a patch for that.  Well, the patch for bugB didn't have the fix for bugA so I was in a bug loop until a patchset came out.

Here is what I've told our security folks when I've been told I'm behind in my patches:
I will install whatever patch you order me to install but I will NOT stay past my normal working hours to fix any bugs/problems they introduce.

In other words:  You all own the responsibility of me applying the patch.  I'll not work overtime or weekends to fix the problems YOU caused.

I never hear back from them.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Via a live example, show how to restore a database from backup after a simulated disk failure using RMAN.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question