Out IT auditor asked me:
kindly forward to us the information on the latest Oracle patch to be released together with your initial assessment on impact and applicability
Note that patches should be installed within one month from release if the CVSS score is at least 4.0, let's just hope there's nothing critical applicable to our setup.
Is she referring to PSU patch?
This is something I found regarding CVSS : https://blogs.oracle.com/security/entry/understanding_the_common_vulne_2
Security Patch Update (formerly CPU) for January 2014 is included in the Jan 2014 PSU patch. So, I believe this is what your IT auditor is talking about.
You're most welcome.
If you're application and DB are working perfectly fine , you will need to check with your Application team to know if you really need to apply the latest PSU.
You will first need to test your application after applying the PSU preferably on a test system before deploying it in production.
Oracle always advises customers to be on the latest release and have the latest PSU applied. But applying the latest PSU depends on your feasibility and if you actually need the PSU to be applied.
Hi Sunt & All,
We have two(2) databases with corresponding App usage. 184.108.40.206 and 220.127.116.11
We all applied terminal PSU patch for 18.104.22.168.
If 22.214.171.124 has latest PSU patch 126.96.36.199.9 and contains security vulnerability patch inside. Does this mean it does not apply to 188.8.131.52? Meaning 184.108.40.206 is still secured having the terminal patch?
Yes, Indeed. I don't think there are any fixes for security vulnerabilities included in 220.127.116.11.9 PSU.
"If you are patching a system that is currently BELOW Database PSU version
18.104.22.168.4 (Oct 2012) then please be sure to read Note:1493990.1 "Patching for CVE-2012-3137"
before applying this PSU to any Database Server."
Since you are already on 22.214.171.124.8 there aren't any Security vulnerabilities for which you need to apply 126.96.36.199.9 PSU.
Hope this is clear.
Actually our PROD is only at 188.8.131.52.5. I only applied lately 184.108.40.206.8 to our UAT and have to test thoroughly before applying it to PROD. But since our test gets delayed and here comes another new PSU, we decided to wait for it. Then same thing happens, delayed test , then comes new PSU and apply to UAT.
Are there security patches after 220.127.116.11.5?
Thanks a lot.
I think I'll regret my reply in this thread because I'm sure you are yxes2013 and you are here only to take all but not to work.
1. You already asked very similar question but it's very common with you : Re: Oracle CPU, PSU,Patches
Both thread starting by : "Hi all,
2. You don't even bother to keep in mind what was said in older thread, go to Critical Patch Updates and Security Alerts click on the month you want to check the CPU out, then check the matrix with base score of each CVE#.