Category Archives: 11gR1

Posts related to Oracle 11g Release 1

Oracle released CPU / PSU April 2014

As announced last week in my post Oracle CPU / PSU Pre-Release Announcement April 2014, Oracle has now released the Critical Patch Updates for April 2014. Overall this CPU contains 104 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes, whereas one of the fixes has a very high CVSS rating. But this only affects installations on Windows. On these platform it is recommended to install the patch bundle as soon as possible. Nevertheless it is certainly advisable to install the patches on Unix/Linux-based systems

As somehow expectable, Oracle did not add any information about the OpenSSL issue to it’s current Critical Patch Advisory. I assume this is because the vulnerability was announced a few days ago. As discussed in my post Oracle and OpenSSL ‘Heartbleed’ vulnerability, Oracle is tracking information about this issue in MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 15 July 2014
  • 14 October 2014
  • 20 January 2015
  • 14 April 2015

References

As usual there are a bunch of links and MOS Notes around the critical patch update available:

  • Oracle Critical Patch Update Advisory – April 2014
  • Patch Set Update and Critical Patch Update April 2014 Availability Document [1618213.1]
  • Oracle Critical Patch Update April 2014 Documentation Map [1637289.1]
  • Critical Patch Update April 2014 Database Known Issues [1615881.1]
  • Critical Patch April 2014 Database Patch Security Vulnerability Molecule Mapping [1615882.1]
  • Critical Patch Update April 2014 Oracle Fusion Middleware Known Issues [1618208.1]
  • Oracle Critical Patch Updates and Security Alerts on OTN

Oracle CPU / PSU Pre-Release Announcement April 2014

Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as “Heartbleed”. Therefore I assume, that this patch update does not yet address the corresponding vulnerability.

Nevertheless it seems that it contains bug fix for some major security issues. From the Oracle database point of view it is a small update. There are only two security bug fix for the Oracle Database Server and no for client-only installations. But one of the vulnerabilities does have a CVSS rating of 8.5 and affects the Core RDBMS. The vulnerabilities of Oracle Java SE are even higher and rated with a 10.0 out of 10.0.

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for April 2014. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle released CPU / PSU October 2013

As announced yesterday in my post Oracle CPU / PSU Pre-Release Announcement October 2013, Oracle has now released the last Critical Patch Updates for 2013. Overall this CPU contains 126 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes with a rather medium CVSS rating. Although the Core RDBMS is affected, it is probably not necessary to run a fire drill. If you have planned to patch anyway, it makes sense to consider the latest PSU or SRU. And if you plan to install Oracle 11.2.0.4.0 patch set, this critical patch update can even be skip, since there is no PSU or SPU for 11.2.0.4 available. According to the patch read-me, it seems that CVE-2013-5771 is fixed in 11.2.0.4. But I can’t confirm this, because I could not find a Bug-ID to compare.

By the way, Oracle has changed a few thing in database security patching for 12c. They will not publish any separate security patch updates (SPU) anymore but solely patch set update (PSU)

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 14 January 2014
  • 15 April 2014
  • 15 July 2014
  • 14 October 2014

References

Links all around Critical Patch Update:

Oracle database binaries with perl

Perl and Oracle has not always an easy past. Depending on the OS type and Oracle Version it can be quite nerve racking to compile DBI and DBD::Oracle. In addition to DBD::Oracle there are also other binary Perl modules that are not so easy to compile. On operating systems such as Microsoft Windows it is necessary to invest a little more effort to compile Perl. Alternatively one can use precompiled packages like Active Perl or Strawberry Perl. But this is basically not necessary at all if Oracle is already installed. Since Oracle 10g Perl is part of the Oracle binaries for the client and Database server. Oracle does use it for various tools itself. This allows it to easily create and execute custom perl scripts even on an Oracle Client installation. I do this regularly when I create Oracle Database security reviews. Instead of manually collecting all sorts of information, I’m running a few Perl scripts. This also works if I only have access to an Oracle client installation.

Available Perl Versions

Consequently, the different Oracle versions contains different versions of Perl. With the latest Oracle Database 12c Release 1 it just got update.

  • Oracle 10g Release 2 contains Perl 5.8.3
  • Oracle 10g Release 2 contains Perl 5.10.0
  • Oracle 12c Release 1 contains Perl 5.14.1

As you see this are not realy the latest stable version of Perl. The following Picture show’s the latest release for each branch of Perl.

LatestPerlReleases

Depending on what you want to do with Perl, this is generally not a problem. Nevertheless, it is useful to check what is supported in the corresponding release or not.

With perldoc you’ll get all kind of perl documentation. For instance the user contributed perl modules aka additional perl modules

$ORACLE_HOME/perl/bin/perldoc perllocal

With corelist you’ll get information on core perl modules perl.

$ORACLE_HOME/perl/bin/corelist -a utf8

utf8 was first released with perl 5.006
5.006 undef
5.006001 undef
5.006002 undef
5.007003 1.00
5.008 1.00
5.008001 1.02
5.008002 1.02
5.008003 1.02
5.008004 1.03
5.008005 1.04
5.008006 1.04
5.008007 1.05
5.008008 1.06
5.009 1.02
5.009001 1.02
5.009002 1.04
5.009003 1.06
5.009004 1.06
5.009005 1.07
5.01 1.07

Restrictions

But before you start to develop your big perl applications be aware, that you shouldn’t relay on it. According to the Oracle Metalink Note 342754.1 You should not use it for your own applications.

Note:- Perl and other 3rd party tools such as the Sun JRE are provided in the ORACLE_HOME for Oracle tool usage only. PERL libraries which are part of the Oracle RDBMS CD (Client / Database) are not meant for PERL custom application development, but they are used by various Oracle tools that are shipped along with Oracle RDBMS software such as EM DB Console etc.,

Using it for just a bunch of admin and reports scripts it shouldn’t be a big issues. Especially because you save quite some time when you not have to install Perl and DBD::Oracle yourself.

How tu use it

A few example how to use it will follow later on…

References

Some links related to this post.

  • Perl Source Readme on CPAN with information on the latest version on each branch of Perl
  • DBI – Database independent interface for Perl
  • DBD::Oracle Oracle database driver for the DBI module
  • Oracle Support of PHP, Perl, DBD/DBI and other 3rd party products [342754.1]
  • Active Perl from ActiveState
  • Strawberry Perl

Oracle released CPU / PSU July 2013

About a week ago Oracle has released the July Critical Patch Updates. Overall this CPU contains 89 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database Server it does contain 6 fixes, but none of them is for client-only installation. 1 of these vulnerabilities may be remotely exploitable without authentication. According the Database risk matrix all supported versions are affected. Since the critical patch update does mainly fix vulnerabilities in the core RDBMS and Oracle executables, it is worth to have a closer look. I’ll test the critical patch update on my test systems as usual. But I do not expect problems, since MOS Note 1546428.1 does not yet list any known issues. Be aware that Critical Patch Update (CPU) are usually cumulative and do contain previous security fixes. If you do not regularly apply Critical Patch Updates, it is essential to check previous patch notes.

First Testing

The Critical Patch Update could easily be installed on Linux x86-64bit, but opatch does fail with a few warnings. None of them prevents a successful installation. According to the Known Issues section in the Patch ReadMe and the two Metalink Notes 1448337.1 and 854711.1 the output can be safely ignored.

First Findings

After installing the patch and run catbundle I could identify a few changes on the hidden parameters. The following hidden parameters have been updated on my test system

SQL> @hip _db_flash_cache_keep_limit

Parameter                  SESSION Instance   S I D Description
-------------------------- ------- ---------- - - - --------------------------------------------------
_db_flash_cache_keep_limit         217751120        Flash cache keep buffer UPPER LIMIT IN percentage

SQL> @hip _fastpin_enable

Parameter                 SESSION Instance   S I D Description
------------------------- ------- ---------- - - - --------------------------------------------------
_fastpin_enable                   217827585        enable reference COUNT based fast pins

The following hidden parameter has been removed

SQL> @hip _db_flash_cache_keep_limit

Parameter                   SESSION Instance   S I D Description
--------------------------- ------- ---------- - - - --------------------------------------------------
_thirteenth_spare_parameter                          thirteenth spare parameter - string

But the strange thing is, the following new hidden parameters.

SQL> @hip _july2013_cpu_admin_user_fix

Parameter                    SESSION Instance   S I D Description
---------------------------- ------- ---------- - - - --------------------------------------------------
_july2013_cpu_admin_user_fix                          july2013 cpu admin USER fix

So far I could not figure out the purpose of _july2013_cpu_admin_user_fix parameter. It look’s somehow like a temporary fix for something. I assume it will disappear in the next Critical Patch Update on october 2014.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 15 October 2013
  • 14 January 2014
  • 15 April 2014
  • 15 July 2014

References

Links all around Critical Patch Update:

  • Oracle Critical Patch Update Advisory – July 2013
  • Patch Set Update and Critical Patch Update July 2013 Availability Document [1548709.1]
  • Critical Patch Update July 2013 Database Known Issues [1546428.1]
  • Opatch warning: overriding commands for target xxxx [1448337.1]
  • Oracle Critical Patch Update July 2013 Documentation Map [1563067.1]
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle [394487.1]
  • Risk Matrix Glossary — terms and definitions for Critical Patch Update risk matrices [394486.1]
  • Oracle Critical Patch Updates and Security Alerts on OTN including links to Critical Patch Update since january 2005

Oracle CPU / PSU Pre-Release Announcement October 2012

Today Oracle has published the Pre-Release Announcement for the october CPU Patch. This Critical Patch Update contains 109 new security vulnerability fixes for several Oracle products. 5 of these fixes are just for the Oracle Database Server including 2 fixes for client-only installations. What frighten me a bit, is the CVSS Base Score of 10 for the core RDBMS. Oracle apparently has to close another big security issue. The core RDBMS is by the way the only component which has to be patched by this CPU. In combination with this severity everybody will have to patch. SCN flaw, TNS poisoning, Oracle Password Hashing Algorithm Weaknesses, etc obviously it’s the oracle-year of critical issues. Any way we will see it next week in detailed. As mentioned just the following Database Server Products are affected.

  • Core RDBMS

So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (11.2.0.2,11.2.0.3), Oracle Database 11g Release 1 (11.2.0.7) and Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5).

The official release for the CPU / PSU is planned for next week 16 October 2012. More details about the patch will follow soon on the Oracle Security Pages.

Oracle hidden init.ora parameter

This post focuses on init.ora parameters. It is not really new topic, but rather a personal reference to some practical queries and scripts. If you are the customer, it’s always handy when you can easily access your own queries.

It is quite simple to get some information on init.ora parameters from SQLPlus. Using a tool like TOAD or SQL Developer make it even easier. Unfortunately I work often at the customer without my own tools and scripts. So commandline and SQLPlus is the only “tools” available to work on the database. It is not an issue to dig through the data dictionary to get any kind of information as long as there is 1-2 view involved. But for querying multiple View’s, X$ views etc it is easier to have something on hand.

OK, what’s different with my queries? Not much, they just fit my needs 🙂 Instead of just querying v$parameter I’ll query as well the X$ views to see as well the hidden parameter and simple description for each parameter.

The first query does a select on X$KSPPI, X$KSPPCV, X$KSPPSV and V$PARAMETER to display all init.ora parameter including the hidden parameters. The result can be limited by adding a part of the parameter name or specify % to see all which then would be a little over 2500 parameters. S stands for it is session modifiable, I stands for it is system modifiable and D show if the parameter does still have the default value or not. I’ve added the query as hip.sql (stands somehow for hidden init parameter) to my small script collection which can be downloaded in the script section.

SET linesize 235
col Parameter FOR a50
col SESSION FOR a28
col Instance FOR a55
col S FOR a1
col I FOR a1
col D FOR a1
col Description FOR a90

SELECT  
  a.ksppinm  "Parameter",
  decode(p.isses_modifiable,'FALSE',NULL,NULL,NULL,b.ksppstvl) "Session",
  c.ksppstvl "Instance",
  decode(p.isses_modifiable,'FALSE','F','TRUE','T') "S",
  decode(p.issys_modifiable,'FALSE','F','TRUE','T','IMMEDIATE','I','DEFERRED','D') "I",
  decode(p.isdefault,'FALSE','F','TRUE','T') "D",
  a.ksppdesc "Description"
FROM x$ksppi a, x$ksppcv b, x$ksppsv c, v$parameter p
WHERE a.indx = b.indx AND a.indx = c.indx
  AND p.name(+) = a.ksppinm
  AND UPPER(a.ksppinm) LIKE UPPER('%&1%')
ORDER BY a.ksppinm;

The second script does the same as the first one exempt that it limit the result to the list of parameter which are not default. I’ve added the query as hipf.sql (stands somehow for hidden init parameter false) to my small script collection which can be downloaded in the script section.

SET linesize 235 pagesize 200
col Parameter FOR a50
col SESSION FOR a28
col Instance FOR a55
col S FOR a1
col I FOR a1
col D FOR a1
col Description FOR a90

SELECT * FROM (SELECT  
  a.ksppinm  "Parameter",
  decode(p.isses_modifiable,'FALSE',NULL,NULL,NULL,b.ksppstvl) "Session",
  c.ksppstvl "Instance",
  decode(p.isses_modifiable,'FALSE','F','TRUE','T') "S",
  decode(p.issys_modifiable,'FALSE','F','TRUE','T','IMMEDIATE','I','DEFERRED','D') "I",
  decode(p.isdefault,'FALSE','F','TRUE','T') "D",
  a.ksppdesc "Description"
FROM x$ksppi a, x$ksppcv b, x$ksppsv c, v$parameter p
WHERE a.indx = b.indx AND a.indx = c.indx
  AND p.name(+) = a.ksppinm
  AND UPPER(a.ksppinm) LIKE UPPER('%&1%')
ORDER BY a.ksppinm) WHERE d='F';

A few information on hidden init.ora parameter can be found in the Metalink Note How To Query And Change The Oracle Hidden Parameters In Oracle 10g [315631.1]