Re: Question - Fusion Middleware inside Cloud Control or no?

From: Chris Taylor <christopherdtaylor1994_at_gmail.com>
Date: Tue, 17 Nov 2015 08:12:57 -0600
Message-ID: <CAP79kiTWt-cns0bziQ0ouDxL8d7rV7t3ST+eTUO4nw1i=-JTyg_at_mail.gmail.com>

Tim,

With very deep respect to you, I want to analyze this a bit.

I think your argument stems from the idea that the Java vulnerability is a *reasonable
risk *and measures can be taken to fence off the server *at risk. *I would agree with except *there is a provided reasonable patching strategy **to fix *the Java Vulnerabilities delivered in EM 12c.

In context, your argument is placed against the counter-argument: Argument 1.) We can not patch the product (for whatever reasons) and instead fence off the server that has the known vulnerabilities and leave the security risk in place
versus
Argument 2:) We can patch (and Oracle provides the ways and means) the Java vulnerability to fix the problem instead of protecting the problem.

The conclusion *reasonably *must be to fix the problem and perhaps also fence the black box. There is no reasonable argument (that I can see) that supports leaving the vulnerability unpatched unless ultimately Oracle's provided patching solutions do not work. I'm working through the CPU 2015 Patch instructions for EM 12c now and getting ready to update the JDK (I'm at like step 30 in my documentation I'm throwing together - where individual patching instructions are all rolled into step numbers 25 & 26. So lets say there's 9 patches, I'm really at like step 39 or something). I'm going to clean up my steps once I'm sure everything "works" as expected.

Chris

On Tue, Nov 17, 2015 at 2:46 AM, Tim Hall <tim_at_oracle-base.com> wrote:

> Hi.
>
> I recognize the problem, but this is where I typically "educate" the
> people involved. Security is not about, "always apply all patches to all
> systems all the time". It is about identifying risk in context. All audit
> and security processes allow for "exceptions to the rule". It is up to you
> to identify where an exception is required and document why it is required
> and any relevant risks, or why they are not risks in this context. Provided
> that is all done correctly, there is no harm done.
>
> Of course, if your client refuses to accept this, they are stupid and you
> have to decide how to deal with this. Personally, I walk away. I've got
> better things to do with my life than deal with idiot customers. :) I
> understand not everyone has that option... :)
>
> Cheers
>
> Tim...
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Tue Nov 17 2015 - 15:12:57 CET

This message: [ Message body ]
Next message: Andrew Kerber: "Re: Question - Fusion Middleware inside Cloud Control or no?"
Previous message: John Thomas: "Re: Segment growth monitoring"
In reply to: Tim Hall: "Re: Question - Fusion Middleware inside Cloud Control or no?"
Next in thread: Andrew Kerber: "Re: Question - Fusion Middleware inside Cloud Control or no?"
Reply: Andrew Kerber: "Re: Question - Fusion Middleware inside Cloud Control or no?"
Reply: Tim Hall: "Re: Question - Fusion Middleware inside Cloud Control or no?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message