Category Archives: Security Patch Update

Oracle Security Patch Update also known as Critical Patch Update

Oracle CPU / PSU Pre-Release Announcement July 2016

Oracle has published the Pre-Release Announcement for the July 2016 Critical Patch Update. It’s quite a huge update with not less than 276 security vulnerability fixes across the Oracle products. For the Oracle Database itself are 9 security fixes
available. Dies ist wiederum eines der größeren Critical Patch Update for databases. It does contain bug fix for some major security issues. Five of the vulnerabilities are remotely exploitable without authentication. The security bug fixes are for the Oracle Database Server as well for client-only installations. That means three of the security fixes are for client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • Application Express
  • Data Pump Import
  • Database Vault
  • DB Sharding
  • JDBC
  • OJVM
  • Portable Clusterware
  • RDBMS Core

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for July 2016. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.

OPatch silent and unattended

In general I use Oracle OPatch interactively in command line mode to install patch set updates. But recently I did patch a system cloud based system, with a confusing network timeout. As expected I did get a broken pipe while executing OPatch. Ok, the system is also damn slow, which is not exactly helpful. Never mind, this was the time to look around for a stable alternative. eg. OPatch should survive potential network / connection lost.

A possible solution would be using screen. Unfortunately screen is not available on the HP-UX system, which I use for this particular Critical Patch Update tests. Therefore I’ve searched in MOS and found two helpful notes about using opatch in silent mode.

First step is to create a response file for OCM to make sure you do not get ask about security updates:

oracle@hpux01:~/ [CPU11204] $cdh/OPatch/ocm/bin/emocmrsp -no_banner -output $cdl/oradba/rsp/ocm_opatch.rsp
Provide your email address to be informed of security issues, install and
initiate Oracle Configuration Manager. Easier for you if you use your My
Oracle Support Email address/User Name.
Visit http://www.oracle.com/support/policies.html for details.
Email address/User Name:

You have not provided an email address for notification of security issues.
Do you wish to remain uninformed of security issues ([Y]es, [N]o) [N]:  y
The OCM configuration response file (/u00/app/oracle/local/dba/../oradba/rsp/ocm_opatch.rsp) was successfully created.

Second step is to run opatch in silent mode with the response file for the OCM.

oracle@hpux01:~/ [CPU11204] cd /u00/app/oracle/software/ora/CPU_2015_10/21352635/
oracle@hpux01:/u00/app/oracle/software/ora/CPU_2015_10/21352635/ [CPU11204] $cdh/OPatch/opatch apply -silent -ocmrf $cdl/oradba/rsp/ocm_opatch.rsp

Alternatively run opatch apply with nohup.

oracle@hpux01:~/ [CPU11204] cd /u00/app/oracle/software/ora/CPU_2015_10/21352635/
oracle@hpux01:/u00/app/oracle/software/ora/CPU_2015_10/21352635/ [CPU11204] nohup $cdh/OPatch/opatch apply -silent -ocmrf $cdl/oradba/rsp/ocm_opatch.rsp &

oracle@hpux01:/u00/app/oracle/software/ora/CPU_2015_10/21352635/ [CPU11204] tail -f nohup.out

Oracle Home       : /u00/app/oracle/product/11.2.0.4
Central Inventory : /u00/app/oraInventory
   from           : /u00/app/oracle/product/11.2.0.4/oraInst.loc
OPatch version    : 11.2.0.3.12
OUI version       : 11.2.0.4.0
Log file location : /u00/app/oracle/product/11.2.0.4/cfgtoollogs/opatch/opatch2015-10-30_08-51-15AM_1.log

Verifying environment and performing prerequisite checks...

At the time of analog and ISDN connections I was used to network interruptions. But today, where one is everywhere online… I guess I must use nohup and screen more often again. 🙂

References

Oracle CPU / PSU Pre-Release Announcement January 2015

Oracle has published the Pre-Release Announcement for the first Critical Patch Update in 2015. This Critical Patch Update contains 167 new security vulnerability fixes across all Oracle products. It looks like that this CPU does contain a bunch of critical security fixes for Oracle databases. Actually there are 7 fixes for security vulnerabilities, but none of them is remotely exploitable nor are they for client-only installations. Nevertheless the highest CVSS rating is 9.0. I wonder which OS is affected 😉

Beside the high CVSS rating, some core components seems to be affected:

  • Core RDBMS
  • DBMS_UTILITY
  • PL/SQL
  • Recovery
  • Workspace Manager
  • XML Developer’s Kit for C

We will see all the details later today, when Oracle is officially releasing the Critical Patch Update for January 2015. Together with my colleagues at Trivadis, we’ll have a closer look and do some testing. See also Trivadis Critical Patch Updates Report

More details about the patch will follow soon on the Oracle Security Pages.

Oracle CPU / PSU Pre-Release Announcement July 2014

Oracle has published the Pre-Release Announcement for the July 2014 Critical Patch Update. It looks like that the next Critical Patch Update is somewhat more extensive from the database point of view. It does contain six bug fix for some major security issues. Some of the vulnerabilities may be remotely exploitable without authentication. The security bug fixes are for the Oracle Database Server as well for client-only installations.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:

  • Network Layer
  • RDBMS Core
  • XML Parser

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for April 2014. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle released CPU / PSU April 2014

As announced last week in my post Oracle CPU / PSU Pre-Release Announcement April 2014, Oracle has now released the Critical Patch Updates for April 2014. Overall this CPU contains 104 new security fixes across several Oracle products like Database Server, MySQL Server, Sun Product Suite, WebLogic Server etc. For Oracle Database it contains only 2 security fixes, whereas one of the fixes has a very high CVSS rating. But this only affects installations on Windows. On these platform it is recommended to install the patch bundle as soon as possible. Nevertheless it is certainly advisable to install the patches on Unix/Linux-based systems

As somehow expectable, Oracle did not add any information about the OpenSSL issue to it’s current Critical Patch Advisory. I assume this is because the vulnerability was announced a few days ago. As discussed in my post Oracle and OpenSSL ‘Heartbleed’ vulnerability, Oracle is tracking information about this issue in MOS Note 1645479.1 OpenSSL Security Bug-Heartbleed.

CPU Release Dates

The next four Critical Patch Updates will be released at the following dates:

  • 15 July 2014
  • 14 October 2014
  • 20 January 2015
  • 14 April 2015

References

As usual there are a bunch of links and MOS Notes around the critical patch update available:

  • Oracle Critical Patch Update Advisory – April 2014
  • Patch Set Update and Critical Patch Update April 2014 Availability Document [1618213.1]
  • Oracle Critical Patch Update April 2014 Documentation Map [1637289.1]
  • Critical Patch Update April 2014 Database Known Issues [1615881.1]
  • Critical Patch April 2014 Database Patch Security Vulnerability Molecule Mapping [1615882.1]
  • Critical Patch Update April 2014 Oracle Fusion Middleware Known Issues [1618208.1]
  • Oracle Critical Patch Updates and Security Alerts on OTN

Oracle CPU / PSU Pre-Release Announcement April 2014

Today Oracle has published the Pre-Release Announcement of the CPU Advisory for April 2014. This Critical Patch Update contains 103 new security vulnerability fixes for several Oracle products. There are only a few days since the publication of the vulnerability CVE-2014-0160 known as “Heartbleed”. Therefore I assume, that this patch update does not yet address the corresponding vulnerability.

Nevertheless it seems that it contains bug fix for some major security issues. From the Oracle database point of view it is a small update. There are only two security bug fix for the Oracle Database Server and no for client-only installations. But one of the vulnerabilities does have a CVSS rating of 8.5 and affects the Core RDBMS. The vulnerabilities of Oracle Java SE are even higher and rated with a 10.0 out of 10.0.

We will see all the details next Tuesday when Oracle is officially releasing official Critical Patch Update for April 2014. Next week I’ll have a closer look and do some test installations.

More details about the patch will follow soon on the Oracle Security Pages.

Oracle CPU / PSU Pre-Release Announcement January 2014

Today Oracle has published the Pre-Release Announcement for the first CPU Patch in 2014. This Critical Patch Update contains 147 new security vulnerability fixes for several Oracle products. From the Oracle database point of view it is a small update. There are only five security fix for the Oracle Database Server and no for client-only installations.

Although the CVSS rating of these vulnerabilites are 5.0, it looks that there is no hurry to install this security fix on most of the database environments. If this is true, we’ll see next Tuesday when Oracle is officially releasing CPU / PSU January 2014. Next week I’ll have a closer look.

More details about the patch will follow soon on the Oracle Security Pages.