Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Vendors supporting patch levels

RE: Vendors supporting patch levels

From: Pass, Stephanie <>
Date: Wed, 19 Oct 2005 08:13:45 -0600
Message-ID: <>

I think you all are missing something very important .... You are assuming that Oracle's patches will actually fix the security issues and ensure they are not still exploitable.

-----Original Message-----
From: []On Behalf Of Paul Drake Sent: Wednesday, October 19, 2005 8:07 AM To:
Cc: Oracle-L
Subject: Re: Vendors supporting patch levels

On 10/19/05, BP <> wrote:
> [Oracle 10g Enterprise on AIX 5L]
> Hi Everyone,
> It's me the neophyte dba again...I'm eager to patch our db's from
> to, with the later being a prereq for the July 2005
> Critical patch. We have no db's in production yet and have three
> vendors involved in this project. Internally, my request to patch our
> existing dev db's is met with extreme caution. The concern being that
> the vendors may or will not offer support if they haven't tested the
> patch themselves. Is this a normal situation? Personally I agree that
> we want have good relationships with the vendors, but I think they
> have a responsibility to respond to critical patches (install test and
> support to that level) in a timely manner.
> To date I've informed my PM's that their is a critical patch for the
> db's and that since July the vulnerabilities are now public knowledge.
> Not sure if there's anything else I can or should do. Oh ya...I'm
> documenting this to cma.
> Any words of wisdom are greatly appreciated.
> Brian Peasey


The landscape is changing with respect to what an acceptable "time to apply" is these days. Its not uncommon to see the term "0day" mentioned in security-related articles. The holes are out there, some generally known exploit code is out there, some generally unknown exploit code is out there. What matters for your environment is going to depend upon what features you have deployed (e.g. you're not using spatial, intermedia and don't have those components installed) and who is permitted access to your database servers. If only your application servers have network access to the database servers, the risk of a sasser-type worm (slammer) affecting your db servers would be considerably less.

Did you notice that in the Oct 2005 CPU, that the workaround column is blank? That's not entirely true. Metalink has notes on removal of options, such as spatial, if that option was installed but is not in use.

Mitigation (e.g. revoke tab_priv grants from public) could be just as good as patching but it will likely require just as much testing.

haven't had coffee yet today.


Received on Wed Oct 19 2005 - 09:16:49 CDT

Original text of this message