Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - From the Mailbag - taking Oracle and it's CPU to task InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

From the Mailbag - taking Oracle and it's CPU to task

Published: 2009-07-18
Last Updated: 2009-07-18 17:10:53 UTC
by Patrick Nolan (Version: 1)
2 comment(s)

As a follow up to a previous Diary (Oracle Black Tuesday) we had a Storm Center participant, Brian, offer some comments about Oracle's CPU.

Brian said "Regarding your comment on Oracle Black Tuesday, I have several observations that may benefit other ISC readers.

The exposure of Oracle's CPU goes far beyond the database as they have expanded significantly into many other software, including key security management software (Identity Management/Authentication).

As Oracle repackages several open source products, administrators are stuck choosing between security and support.  For example, the recent patches to Apache's http server can't be applied because Oracle repackages that product as Oracle HTTP Server.  Apply the patches and you're no longer supported.

Oracle has got to find a way to make the CPU analysis easier.  The decision matrix an administrator has to go through is obscene.  I conducted an analysis of a recent CPU for our environment and it took me over a week solid to determine what the exposure was and what the pre-requisites for the CPU patches were.  And that doesn't include the support time and outages because Oracle's documentation was incorrect.  As a user community, we need to push Oracle to make this process simpler (think up2date or YaST or even Windows Update)
".

Thanks for the sending in your thoughts Brian. Banding together and working with the vendor is always effective. So if there is already a group of customers that have banded together to work effectively with Oracle, let us know some of the groups specifics and I'll update the diary.

In addition to the previous Diary's comment about the lack of substantial vulnerability information for non-customers, it should be noted that Oracle's public Critical Patch Update Advisory - July 2009 has a section called the Patch Availability Table and Risk Matrices, each products Matrix provides CVSS information that can help both customers and non-customers prioritize Oracle CPU's for deployment.

Keywords:
2 comment(s)
Diary Archives