RE: Vendors supporting patch levels
- From: "Pass, Stephanie" <Stephanie_Pass@xxxxxxxxxxxxxxxxx>
- To: <bdbafh@xxxxxxxxx>, <brian.peasey@xxxxxxxxx>
- Date: Wed, 19 Oct 2005 08:13:45 -0600
I think you all are missing something very important .... You are assuming
that Oracle's patches will actually fix the security issues and ensure they are
not still exploitable.
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On
Behalf Of Paul Drake
Sent: Wednesday, October 19, 2005 8:07 AM
To: brian.peasey@xxxxxxxxx
Cc: Oracle-L
Subject: Re: Vendors supporting patch levels
On 10/19/05, BP <brian.peasey@xxxxxxxxx> wrote:
> [Oracle 10g Enterprise on AIX 5L]
>
> Hi Everyone,
>
> It's me the neophyte dba again...I'm eager to patch our db's from
> 10.1.0.2 to 10.1.0.4, with the later being a prereq for the July 2005
> Critical patch. We have no db's in production yet and have three
> vendors involved in this project. Internally, my request to patch our
> existing dev db's is met with extreme caution. The concern being that
> the vendors may or will not offer support if they haven't tested the
> patch themselves. Is this a normal situation? Personally I agree that
> we want have good relationships with the vendors, but I think they
> have a responsibility to respond to critical patches (install test and
> support to that level) in a timely manner.
>
> To date I've informed my PM's that their is a critical patch for the
> db's and that since July the vulnerabilities are now public knowledge.
> Not sure if there's anything else I can or should do. Oh ya...I'm
> documenting this to cma.
>
> Any words of wisdom are greatly appreciated.
>
> Brian Peasey
Brian,
The landscape is changing with respect to what an acceptable "time to
apply" is these days. Its not uncommon to see the term "0day"
mentioned in security-related articles. The holes are out there, some
generally known exploit code is out there, some generally unknown
exploit code is out there. What matters for your environment is going
to depend upon what features you have deployed (e.g. you're not using
spatial, intermedia and don't have those components installed) and who
is permitted access to your database servers. If only your application
servers have network access to the database servers, the risk of a
sasser-type worm (slammer) affecting your db servers would be
considerably less.
Did you notice that in the Oct 2005 CPU, that the workaround column is blank?
That's not entirely true. Metalink has notes on removal of options,
such as spatial, if that option was installed but is not in use.
Mitigation (e.g. revoke tab_priv grants from public) could be just as
good as patching but it will likely require just as much testing.
haven't had coffee yet today.
Paul
--
//www.freelists.org/webpage/oracle-l
--
//www.freelists.org/webpage/oracle-l
Other related posts:
