Hi Joan This really depends on the kind of vulnerabilities the patches fix IMHO -- which varies between each one of them. Consider this for example: - Your hacker has access to an account in your "non-critical" DB - There's an unpatched vulnerability that lets authenticated users gain DBA privileges - He gains those privileges in your "non-critical" DB. - He can now do whatever the oracle user on that system can do - For example, update $HOME/.ssh/authorized_keys with his own key - He then has shell access (and if your OS is as poorly patched as your database, he'll soon have root as well) - It's then easy to capture other valuable information, such as password laying around in scripts, or do many naugthy things - And perhaps your environment has a few (or even just 1) sys password - And he will very soon have access to the oracle user on different servers (including your more "critical" ones). Just some random thought, I'm sure others have other ideas ;-) Stefan ========================= Stefan P Knecht CEO & Founder s@xxxxxxxx 10046 Consulting GmbH Schwarzackerstrasse 29 CH-8304 Wallisellen Switzerland Phone +41-(0)8400-10046 Cell +41 (0) 79 571 36 27 info@xxxxxxxx http://www.10046.ch ========================= On Fri, Sep 11, 2009 at 6:38 PM, Joan Hsieh <joan.hsieh@xxxxxxxxx> wrote: > Hi Listers, > > I have one question regarding the cpu patch. We have some databases which > are not data sensitive at all. For example, like scheduling, web. etc. I am > wondering if cpu patch is necesscery to patch every quarterly on these > servers. Is there any security concern that hackers can hack other important > databases( like FM, HR) via these databases. All the databases share the > same tnsnames.ora on the share drive. > > Thanks, > > Joan > > > -- > //www.freelists.org/webpage/oracle-l > > >