Oracle security patches causing headaches

Robert Westervelt, News Director
Why is the latest group of patches causing headaches to DBAs?
Security Alert, No. 68, is really confusing and frustrating because Oracle gives little detail in the advisory as to the exact nature of the issues. We know that the patches eliminate vulnerabilities in the database server and the listener, in the application server and in the enterprise manager. But the Collaboration Suite and E-Business Suite are also affected. DBAs like to be absolutely certain that they need the patch and how much downtime is needed, and in this case, it is impossible to be certain because so little information is available. Entire systems are being taken down and that doesn't make anybody happy. What is your advice to DBAs dealing with the patches?
Because no component is listed, DBAs should make every effort to apply the patch. It is a difficult process to get approval for downtime. All we know is that this patch addresses a very serious vulnerability, but we don't know exactly what it does affect. If you have an open system, there is a very good possibility that it could be easily exploited, but if have a well-tied system to firewall, you don't have to take any immediate action. What stage are DBAs in preparing to deploy these patches?
Most folks are still evaluating what has to be done and some folks are waiting for their next scheduled downtime to apply the patches. My recommendation is to apply the patches immediately, but I can't blame anybody for waiting for a scheduled downtime,

    Requires Free Membership to View

because downtime costs the company money. How has the latest vulnerabilities and Oracle's response affected the company's image?

Expert tips for securing Oracle DBMS

Visit our DBMS security center

The vulnerabilities definitely hurt their image. Today, many senior managers know all about these vulnerabilities, that Oracle issued a patch without disclosing a reason, and this doesn't make anyone happy. Microsoft has released patches in a similar fashion, but when you bring down a Windows system, it is not as visible as an Oracle database. What can Oracle do to respond better in the future?
Oracle should specifically say which components are affected, because then DBAs can determine if the entire system needs to be taken out or just a few components. Another thing they can do is explain if an enterprise takes certain actions on a database, then they should apply the patch. These things are not necessarily revealing to a hacker. A real hacker will find out from somewhere what to do to exploit a system.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: