Security Alert, No. 68, is really confusing and frustrating because Oracle gives little detail in the advisory as to the exact nature of the issues. We know that the patches eliminate vulnerabilities in the database server and the listener, in the application server and in the enterprise manager. But the Collaboration Suite and E-Business Suite are also affected. DBAs like to be absolutely certain that they need the patch and how much downtime is needed, and in this case, it is impossible to be certain because so little information is available. Entire systems are being taken down and that doesn't make anybody happy. What is your advice to DBAs dealing with the patches?
Because no component is listed, DBAs should make every effort to apply the patch. It is a difficult process to get approval for downtime. All we know is that this patch addresses a very serious vulnerability, but we don't know exactly what it does affect. If you have an open system, there is a very good possibility that it could be easily exploited, but if have a well-tied system to firewall, you don't have to take any immediate action. What stage are DBAs in preparing to deploy these patches?
Most folks are still evaluating what has to be done and some folks are waiting for their next scheduled downtime to apply the patches. My recommendation is to apply the patches immediately, but I can't blame anybody for waiting for a scheduled downtime, because downtime costs the company money. How has the latest vulnerabilities and Oracle's response affected the company's image?
Oracle should specifically say which components are affected, because then DBAs can determine if the entire system needs to be taken out or just a few components. Another thing they can do is explain if an enterprise takes certain actions on a database, then they should apply the patch. These things are not necessarily revealing to a hacker. A real hacker will find out from somewhere what to do to exploit a system.