2 Replies Latest reply on Feb 6, 2013 3:50 AM by Sunthar Tharmalingam

    Oracle RDBMS security patch reports

      Aside from using costly commercial vulnerability scanners, are there any easy techniques to produce a management friendly report on what security patches are missing from an Oracle 11g database? Or better still to produce a “fully security patched” type assurance report to management.

      Could you provide simple steps to get to the report, or direction to a sample report?
      Also, excuse my ignorance, but I have heard systems administrators say they often fall behind on database security patches as they are concerned applying the patch could cause issues with the proper functioning of the application, is this a valid concern or a load of nonsense? Have you ever applied a security patch that has had an unfortunate knock on effect on the application that it drives.

      Please keep answers simple to a non DBA/management freindly.
        • 1. Re: Oracle RDBMS security patch reports
          Harm Joris ten Napel-Oracle

          in my experience in customer support I have found that customers often confuse the severity of a security vulnerability with the effects
          of the fix, for example a typical vulnerability would involve incorrect parameter validation, so it would be possible to abuse an API
          call to 'do their thing', however well behaved applications never try to do more than documented, so for those the fix has zero effect.

          Also in my experience regressions are very rare and even more exceptional in CPU patches, since they never intend to change any
          functionality but only stop the bad things to be possible.

          The best practice is to keep up with CPU (or PSU) patches as they are made available and not fall too far behind, each time Oracle
          issues an alert or quarterly CPU patch, there's an associated risk matrix that lists the vulnerability scores on a scale from 1 to 10
          detailing how bad it is this time, for the quarterly CPU most people forget it only lists the issues reported since the previous one,
          so when they fall behind with patching and wonder if the issue is sufficiently serious to apply a patch for it, they forget to check
          the seriousness of all fixed issues since the last CPU they applied.

          The advise is to simply apply these fixes as soon as they are made available since they are low risk and fix serious issues.

          To check what patches are installed in a database home use: opatch lsinventory -patch , for example with the latest PSU on it looks like this:

          Patch 14727310 : applied on Wed Jan 16 08:11:22 CET 2013
          Unique Patch ID: 15663328
          Patch description: "Database Patch Set Update : (14727310)"
          Created on 27 Dec 2012, 00:06:30 hrs PST8PDT
          Sub-patch 14275605; "Database Patch Set Update : (14275605)"
          Sub-patch 13923374; "Database Patch Set Update : (13923374)"
          Sub-patch 13696216; "Database Patch Set Update : (13696216)"
          Sub-patch 13343438; "Database Patch Set Update : (13343438)"
          Bugs fixed:

          Inside the database you can query registry$history for example (for the same database):

          SQL> set linesize 90
          set pagesize 100
          select substr(action_time,1,30) action_time,
          substr(id,1,8) id,
          substr(action,1,10) action,
          substr(version,1,8) version,
          substr(BUNDLE_SERIES,1,6) BUNDLE_SERIES,
          substr(comments,1,20) comments
          from registry$history;SQL> SQL> 2 3 4 5 6 7

          -------------------- ---- -------- --------------------------------
          ------------------------ ----------------------------------------
          17-SEP-11 0 APPLY
          95816 AM
          PSU Patchset

          06-JUL-12 0 APPLY
          33630 PM
          PSU Patchset

          20-NOV-12 4 APPLY
          98041 PM
          PSU PSU

          16-JAN-13 5 APPLY
          13726 AM
          PSU PSU

          For more information see:

          note 821263.1 How to confirm that a Critical Patch Update (CPU) has been installed in Linux / UNIX


          Harm ten Napel

          Edited by: hnapel on Jan 16, 2013 3:41 AM
          • 2. Re: Oracle RDBMS security patch reports
            Sunthar Tharmalingam
            in OEM 12c, administration/security/reports got bunch of security reports that can provide info you are looking for.
            1 person found this helpful