Security

Are Quarterly patches a good idea on Database Servers?


It seems that these days all major players in the software industry are beginning to deliver patches on a quarterly patch cycle. Oracle is one such vendor that plans to release fixes for 37 flaws for its flagship products on roughly April 17.

Vendors such as Microsoft, Oracle, and IBM are releasing patches, updates, and service packs with more ferocity and complexity than ever before. I believe monthly and quarterly patch updates allow an IT staff to plan for patch rollout, as opposed to getting a new e-mail each day about and newly released patches, updates, and/or vulnerabilities.

Oracle’s move to a quarterly patch cycle will make life easier on its customer base. Rather than have its customer base react to exploits, patches, updates, etc., Oracle can now enable its client base to plan accordingly. Overall, the adoption of a quarterly patch cycle by many vendors (Microsoft, IBM, Oracle, etc.) is a move in the right direction to plan patch releases and give their client base notice on when these patches will become available. Oracle did this once before in January as a better way to prepare its base of clients for patches, vulnerabilities, and flaws.

There is a negative side to patching quarterly; it is that the company may possibly sit on security exploits for months and enable hackers to compromise a system via Denial of Service and SQL Injection attacks. I can only hope that we will still see some exploits, patches, and updates surface that have an emergency status and can't wait until the quarterly patch cycle.

Oracle has been known in the past to have an issue with buffer overflow attacks, DoS, and remote exploitation. Many were lead to believe that Oracle was unbreakable, but we have all learned that this is untrue. Is any software unbreakable? Was the Titanic unsinkable?

According to Oracle, the critical patch updates are released midmonth on the following dates: July 17, 2007, October 16, 2007, January 15, 2008, and April 15, 2008. The updates will be issued to customers via Oracle's support Web site on the dates above.

Included in the patch cycle are vulnerabilities that exist in some of the products that Oracle acquired. Examples include Oracle PeopleSoft Enterprise People Tools, PeopleSoft Enterprise Human Capital Management, and JD Edwards OneWorld Tools.

Additionally, there are 11 new security fixes for the Oracle E-Business Suite, two of which may be remotely exploited without authentication.

The update covers vulnerabilities in the following Oracle products
• Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3    [ Database ]
• Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5    [ Database ]
• Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8    [ Database ]
• Oracle Secure Enterprise Search 10g Release 1, version 10.1.6    [ Secure Enterprise Search (OTN) ]
• Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0    [ Application Server ]
• Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0    [ Application Server ]
• Oracle Application Server 10g (9.0.4), version 9.0.4.3    [ Application Server ]
• Oracle10g Collaboration Suite Release 1, version 10.1.2    [ Collaboration Suite ]
• Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2    [ E-Business Suite ]
• Oracle E-Business Suite Release 12, version 12.0.0    [ E-Business Suite ]
• Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8    [ Enterprise Manager ]
• Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48    [ PeopleSoft/JDE ]
• Oracle PeopleSoft Enterprise Human Capital Management version 8.9    [ PeopleSoft/JDE ]
• JD Edwards EnterpriseOne Tools version 8.96    [ PeopleSoft/JDE ]
• JD Edwards OneWorld Tools SP23    [ PeopleSoft/JDE ]
2 comments
blarman
blarman

The difference is scope. Taking an individual PC down for an upgrade only affects its one user and can generally be completed in 10-15 minutes. Not a big effect on productivity unless the patch breaks something. Taking a production database server down, on the other hand, can affect hundreds or even millions of users. And database upgrades are _rarely_ in the 10-15 minutes category. Most require several hours to apply the patches/upgrades and then recompile affected database objects. Is there a better way? Should there be a better way? Good questions.

mjd420nova
mjd420nova

Timing is the most important element here. Long holiday weekends are a boon to this process and the curse to the IT people, but it has to be done. I can't count the number of holiday weekends I've had to work on just these type of projects. It has become a way of life but a very important part of the customers business, keeping systems up to date without disturbing the normal flow of work or colliding with other neccesary procedures needed to keep users information up to date and not bogged down by balky systems and out of date data bases.