2 Replies Latest reply: Feb 5, 2013 9:50 PM by Sunthar Tharmalingam RSS

    Oracle RDBMS security patch reports

    user599292
      Aside from using costly commercial vulnerability scanners, are there any easy techniques to produce a management friendly report on what security patches are missing from an Oracle 11g database? Or better still to produce a “fully security patched” type assurance report to management.

      Could you provide simple steps to get to the report, or direction to a sample report?
      Also, excuse my ignorance, but I have heard systems administrators say they often fall behind on database security patches as they are concerned applying the patch could cause issues with the proper functioning of the application, is this a valid concern or a load of nonsense? Have you ever applied a security patch that has had an unfortunate knock on effect on the application that it drives.

      Please keep answers simple to a non DBA/management freindly.
        • 1. Re: Oracle RDBMS security patch reports
          Harm Joris ten Napel-Oracle
          Hi,

          in my experience in customer support I have found that customers often confuse the severity of a security vulnerability with the effects
          of the fix, for example a typical vulnerability would involve incorrect parameter validation, so it would be possible to abuse an API
          call to 'do their thing', however well behaved applications never try to do more than documented, so for those the fix has zero effect.

          Also in my experience regressions are very rare and even more exceptional in CPU patches, since they never intend to change any
          functionality but only stop the bad things to be possible.

          The best practice is to keep up with CPU (or PSU) patches as they are made available and not fall too far behind, each time Oracle
          issues an alert or quarterly CPU patch, there's an associated risk matrix that lists the vulnerability scores on a scale from 1 to 10
          detailing how bad it is this time, for the quarterly CPU most people forget it only lists the issues reported since the previous one,
          so when they fall behind with patching and wonder if the issue is sufficiently serious to apply a patch for it, they forget to check
          the seriousness of all fixed issues since the last CPU they applied.

          The advise is to simply apply these fixes as soon as they are made available since they are low risk and fix serious issues.

          To check what patches are installed in a database home use: opatch lsinventory -patch , for example with the latest PSU on 11.2.0.3 it looks like this:

          Patch 14727310 : applied on Wed Jan 16 08:11:22 CET 2013
          Unique Patch ID: 15663328
          Patch description: "Database Patch Set Update : 11.2.0.3.5 (14727310)"
          Created on 27 Dec 2012, 00:06:30 hrs PST8PDT
          Sub-patch 14275605; "Database Patch Set Update : 11.2.0.3.4 (14275605)"
          Sub-patch 13923374; "Database Patch Set Update : 11.2.0.3.3 (13923374)"
          Sub-patch 13696216; "Database Patch Set Update : 11.2.0.3.2 (13696216)"
          Sub-patch 13343438; "Database Patch Set Update : 11.2.0.3.1 (13343438)"
          Bugs fixed:
          <etc.>

          Inside the database you can query registry$history for example (for the same database):

          SQL> set linesize 90
          set pagesize 100
          select substr(action_time,1,30) action_time,
          substr(id,1,8) id,
          substr(action,1,10) action,
          substr(version,1,8) version,
          substr(BUNDLE_SERIES,1,6) BUNDLE_SERIES,
          substr(comments,1,20) comments
          from registry$history;SQL> SQL> 2 3 4 5 6 7

          ACTION_TIME ID ACTION VERSION
          -------------------- ---- -------- --------------------------------
          BUNDLE_SERIES COMMENTS
          ------------------------ ----------------------------------------
          17-SEP-11 10.21.11.5 0 APPLY 11.2.0.3
          95816 AM
          PSU Patchset 11.2.0.2.0

          06-JUL-12 02.11.35.3 0 APPLY 11.2.0.3
          33630 PM
          PSU Patchset 11.2.0.2.0

          20-NOV-12 04.55.45.3 4 APPLY 11.2.0.3
          98041 PM
          PSU PSU 11.2.0.3.4

          16-JAN-13 08.13.40.6 5 APPLY 11.2.0.3
          13726 AM
          PSU PSU 11.2.0.3.5

          For more information see:

          note 821263.1 How to confirm that a Critical Patch Update (CPU) has been installed in Linux / UNIX

          Greetings,

          Harm ten Napel

          Edited by: hnapel on Jan 16, 2013 3:41 AM
          • 2. Re: Oracle RDBMS security patch reports
            Sunthar Tharmalingam
            in OEM 12c, administration/security/reports got bunch of security reports that can provide info you are looking for.
            Thanks...