Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Vendors supporting patch levels

Re: Vendors supporting patch levels

From: Paul Drake <>
Date: Wed, 19 Oct 2005 10:06:34 -0400
Message-ID: <>

On 10/19/05, BP <> wrote:
> [Oracle 10g Enterprise on AIX 5L]
> Hi Everyone,
> It's me the neophyte dba again...I'm eager to patch our db's from
> to, with the later being a prereq for the July 2005
> Critical patch. We have no db's in production yet and have three
> vendors involved in this project. Internally, my request to patch our
> existing dev db's is met with extreme caution. The concern being that
> the vendors may or will not offer support if they haven't tested the
> patch themselves. Is this a normal situation? Personally I agree that
> we want have good relationships with the vendors, but I think they
> have a responsibility to respond to critical patches (install test and
> support to that level) in a timely manner.
> To date I've informed my PM's that their is a critical patch for the
> db's and that since July the vulnerabilities are now public knowledge.
> Not sure if there's anything else I can or should do. Oh ya...I'm
> documenting this to cma.
> Any words of wisdom are greatly appreciated.
> Brian Peasey


The landscape is changing with respect to what an acceptable "time to apply" is these days. Its not uncommon to see the term "0day" mentioned in security-related articles. The holes are out there, some generally known exploit code is out there, some generally unknown exploit code is out there. What matters for your environment is going to depend upon what features you have deployed (e.g. you're not using spatial, intermedia and don't have those components installed) and who is permitted access to your database servers. If only your application servers have network access to the database servers, the risk of a sasser-type worm (slammer) affecting your db servers would be considerably less.

Did you notice that in the Oct 2005 CPU, that the workaround column is blank? That's not entirely true. Metalink has notes on removal of options, such as spatial, if that option was installed but is not in use.

Mitigation (e.g. revoke tab_priv grants from public) could be just as good as patching but it will likely require just as much testing.

haven't had coffee yet today.


Received on Wed Oct 19 2005 - 09:09:31 CDT

Original text of this message