Comments on: Oracle CPUs – Do We Care? http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/ Slavik's Blog Wed, 14 Dec 2011 10:35:06 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Kevin http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/comment-page-1/#comment-887 Kevin Tue, 04 Dec 2007 17:26:19 +0000 http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/#comment-887 I tend to work in more secure environments where the CPUs are not optional. Our approach is to do an analysis of the CPU based on the CVSS score and security controls in place in the particular environment that may mitigate the vulnerabilities. This gives us a priority for which components to patch first but all are eventually patched. In generally, we consider ourselves successful if we can complete the CPU before the next one comes out. Not exactly a high bar for success but about the best we can do when confronted with HA requirements and, oh yeah, doing the real work of the company. We struggle with the E-Business Suite patches not being cumulative. You cannot fall behind and catch-up on the next CPU. A place we seen a little improvement is the quality of the patches for "stand-alone" components. Obviously from a security perspective you should only install what's needed. So if you only need Web Cache or Apache (OHS) just install the stand-alone components rather than the full app server. The CPU's failed on a regular basis for these environments but have been better of late. It looks like Oracle is now doing a better job of testing the CPUs for the stand-alone components. I tend to work in more secure environments where the CPUs are not optional. Our approach is to do an analysis of the CPU based on the CVSS score and security controls in place in the particular environment that may mitigate the vulnerabilities. This gives us a priority for which components to patch first but all are eventually patched. In generally, we consider ourselves successful if we can complete the CPU before the next one comes out. Not exactly a high bar for success but about the best we can do when confronted with HA requirements and, oh yeah, doing the real work of the company.

We struggle with the E-Business Suite patches not being cumulative. You cannot fall behind and catch-up on the next CPU.

A place we seen a little improvement is the quality of the patches for “stand-alone” components. Obviously from a security perspective you should only install what’s needed. So if you only need Web Cache or Apache (OHS) just install the stand-alone components rather than the full app server. The CPU’s failed on a regular basis for these environments but have been better of late. It looks like Oracle is now doing a better job of testing the CPUs for the stand-alone components.

]]> By: Doug's Oracle Blog http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/comment-page-1/#comment-182 Doug's Oracle Blog Sat, 27 Oct 2007 21:22:22 +0000 http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/#comment-182 <strong>The Reality Gap (1) - Software Maintenance...</strong> It's so long now since the OUG Scotland Conference and I ended up leaving early because I wasn't feeling too good so I'm not going to attempt a review of the day. I asked a few others what they thought afterwards and the general view was that the ... The Reality Gap (1) – Software Maintenance…

It’s so long now since the OUG Scotland Conference and I ended up leaving early because I wasn’t feeling too good so I’m not going to attempt a review of the day. I asked a few others what they thought afterwards and the general view was that the …

]]> By: Slavik http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/comment-page-1/#comment-142 Slavik Thu, 23 Aug 2007 20:39:48 +0000 http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/#comment-142 Hi Matt, thanks for your insightful comment. It's certainly not an all-or-none decision whether to apply or not apply CPUs and when. Given the genuine difficulty in performing any kind of upgrade to a production database, I think that your approach can certainly result in better security with minimal business disruption. It may require some education, however, since people tend to ignore threats they don't understand (until the threats have materialized...) Hi Matt, thanks for your insightful comment. It’s certainly not an all-or-none decision whether to apply or not apply CPUs and when. Given the genuine difficulty in performing any kind of upgrade to a production database, I think that your approach can certainly result in better security with minimal business disruption. It may require some education, however, since people tend to ignore threats they don’t understand (until the threats have materialized…)

]]> By: Oracle CPUs - Do We Care? auf maol symbolisch http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/comment-page-1/#comment-141 Oracle CPUs - Do We Care? auf maol symbolisch Thu, 23 Aug 2007 16:30:52 +0000 http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/#comment-141 [...] fragt sich: Oracle CPUs - Do We Care? […] do we care about Oracle CPUs at all? Oracle was getting a lot of heat from security [...] [...] fragt sich: Oracle CPUs – Do We Care? […] do we care about Oracle CPUs at all? Oracle was getting a lot of heat from security [...]

]]> By: mattypenny http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/comment-page-1/#comment-140 mattypenny Thu, 23 Aug 2007 15:47:23 +0000 http://www.slaviks-blog.com/2007/08/22/oracle-cpus-do-we-care/#comment-140 Hi, I did a user group presentation about applying CPUs earlier in the year. I think its fair to say that the numbers would have been similar at that group as they were for yours. My recommendation, for what its worth, was, and is, that the DBA agrees a CPU patching strategy with one or more of the following: - their boss, - the individual business owners - the security team ...and gets this agreed to in writing. These people, depending on the organization, should all have a say in weighing up the risks of patching (or not patching), versus the work involved. This is a lot easier to achieve, I think, since the CVSS has been adopted. The strategy could be to: - apply all relevant CPUs - apply no CPUs - apply relevant CPUs with a certain CVSS score If you have an agreed strategy and something goes wrong - i.e. either the CPU mucks up your database, or you get hacked - then its not just the DBA who carries the can. Cheers Matt Hi,

I did a user group presentation about applying CPUs earlier in the year. I think its fair to say that the numbers would have been similar at that group as they were for yours.

My recommendation, for what its worth, was, and is, that the DBA agrees a CPU patching strategy with one or more of the following:
- their boss,
- the individual business owners
- the security team
…and gets this agreed to in writing.

These people, depending on the organization, should all have a say in weighing up the risks of patching (or not patching), versus the work involved. This is a lot easier to achieve, I think, since the CVSS has been adopted.

The strategy could be to:
- apply all relevant CPUs
- apply no CPUs
- apply relevant CPUs with a certain CVSS score

If you have an agreed strategy and something goes wrong – i.e. either the CPU mucks up your database, or you get hacked – then its not just the DBA who carries the can.

Cheers

Matt

]]>