Introducing Oracle's Quarterly Critical Patch Updates

PRODUCTS

Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Windows Server System
Technologies A-Z

ARCHITECTURE

Enterprise 2.0
Extreme Transaction Processing
Grid
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

NAME Security

Introducing Oracle's Quarterly Critical Patch Updates
with Oracle Chief Security Officer Mary Ann Davidson

Beginning January 18, 2005, Oracle will provide Critical Patch Updates on a quarterly schedule. The comprehensive patches, available via MetaLink, will address significant security vulnerabilities and include fixes that customers are likely to apply, prerequisites for the security fixes, or both.

OTN: Why did Oracle launch a quarterly critical patch update?
Davidson: Customers have told us they prefer to have a regular, planned schedule for patching their systems. After surveying scores of customers across a wide variety of industries, we found that a quarterly schedule strikes a smart balance between issuing patches often enough to protect against serious vulnerabilities vs. issuing patches so often that customers can't keep up with them. The quarterly schedule makes it much easier for customers to plan and manage the maintenance process, while reducing associated costs. Given the cost of patching, one patch is better than a number of one-off patches that may cause conflicts or require multiple tests before applying to production systems.

OTN: What's included in the January 18 Critical Patch Update?
Davidson: The Critical Patch Update issued on January 18, 2005 contains fixes for security vulnerabilities in the Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite. The comprehensive patch also includes fixes that customers are likely to apply and/or are prerequisites for the security fixes.

OTN: What is the new "Risk Matrix" included with Critical Patch Updates?
Davidson: The January 2005 Critical Patch Update introduces a Risk Matrix as a means for customers to gauge the severity of the vulnerabilities addressed. The Risk Matrix lists the vulnerabilities fixed in the Critical Patch Update and describes their nature and scope. It includes an indication of each vulnerability's threat to confidentiality, integrity and availability, conditions required for exploit, and the product component affected, amongst other information. The Risk Matrix provides information for customers to assess the risk to their systems, prioritize patching on those systems and perform targeted testing.

"The Risk Matrix lists the vulnerabilities fixed in the Critical Patch Update and describes their nature and scope."

OTN: Which vulnerabilities do the critical patches include?
Davidson: Critical Patch Updates address significant vulnerabilities found both by Oracle's internal resources as well as those found by the security research community. And, as usual, Oracle notifies all customers simultaneously about vulnerabilities.

OTN: What is the update schedule for 2005 and how will customers be informed?
Davidson: Critical Patch Updates are scheduled to be issued to customers in 2005 on the Tuesday closest to the middle of the month: January 18, April 12, July 12, and October 18. Oracle customers will be notified of Critical Patch Updates via MetaLink, the OTN Security Alerts page, and the Oracle Security RSS newsfeed.

"In the event of the cyber-equivalent of 'imminent bodily harm,' Oracle will issue an unscheduled security alert and post the patch for immediate download."

OTN: But what about severe issues? Are there instances when Oracle will deviate from the schedule?
Davidson: In the event of the cyber-equivalent of 'imminent bodily harm'—a case where the threat to our customers is so high and imminent that we can't wait for the next Critical Patch Update—Oracle will issue an unscheduled Security Alert through MetaLink and will post the patch for immediate download. The patch will also be included in the next quarterly Critical Patch Update. But for the most part, Critical Patch Updates will be the process by which patches are issued moving forward.

OTN: Which product areas does the new process apply?
Davidson: Critical Patch Updates may include patches for Oracle Database, Oracle Application Server, Oracle Enterprise Manager, Oracle Collaboration Suite, and Oracle E-Business Suite. Unlike patch sets which are specific to one product family, Critical Patch Updates will typically include patches for all product families.

OTN: What is PeopleSoft's patch process? How will Oracle handle PeopleSoft patches?
Davidson: Oracle is currently reviewing the PeopleSoft security alert process and will make a decision on how patches for the PeopleSoft product line will be handled in the future.

"Oracle continues to look at innovative ways to prevent security faults in software development."

OTN: What details regarding specific vulnerabilities will Oracle provide to customers in the Critical Patch Updates?
Davidson: Information provided in the Critical Patch Updates will be designed to meet customer desire for information about the risks of the vulnerabilities, while not providing sufficient detail for hackers to easily gain insight into how to exploit the vulnerability.

OTN: How does Oracle decide what to include in a Critical Patch Update?
Davidson: Oracle analyzes, logs, and prioritizes every security vulnerability based on a severity formula that considers a number of factors, such as ease of exploit, whether special privileges are required to exploit, type of vulnerability, and so on. Oracle prioritizes security vulnerabilities to ensure that the items deemed most critical make the cutoff for the next update. Critical Patch Updates also include prerequisites for the security patches themselves, to ensure there are no patch conflicts for most customers.

OTN: What happens if a customer deviates from the Critical Patch Update schedule or decides not to implement a given update? Will the subsequent update apply properly?
Davidson: Critical Patch Updates are applied on top of patch sets. Oracle includes common prerequisite patches in the Critical Patch Update (meaning common one-off patches that many customers have asked for, particularly recommended patches for E-Business Suite customers). This means customers need only apply the Critical Patch Update, and that most customers will not experience patch conflict. Oracle's Critical Patch Updates are cumulative from the last patch set, so only the most recent update needs to be installed. For example, suppose a customer running Oracle 9.2.0.5 doesn't apply the January 2005 update. By applying the April 2005 update (for Oracle 9.2.0.5 on their platform), they will also obtain all the fixes from the January Critical Patch Update.

OTN: What role will Independent Software Vendors (ISVs) play in the Critical Patch Update process?
Davidson: Currently, ISVs are notified in the same manner as any customer. Oracle is considering an outreach program to help ISVs certify their software on Critical Patch Updates more rapidly.

Next Steps

Critical Patch Updates and Security Alerts

Oracle Platform Security Page

OTN: What is Oracle doing to prevent future security vulnerabilities?
Davidson: Oracle continues to look at innovative ways to prevent security faults in software development, and remediate these prior to product shipment. For example, we have done security-specific code reviews focused on finding and eliminating the most common security faults, and we are exploring a number of source code scanning tools. We are also rolling out a comprehensive class on secure coding practice.

OTN: Should customers be concerned about Oracle's security?
Davidson: Oracle remains second to none in its commitment to secure product development and market-leading security features and functions with 19 independent security evaluations. The Oracle Database has been evaluated 17 times against every major worldwide security evaluation criteria, representing more than $17 million invested to "vet" Oracle security; Oracle Application Server has 2 security evaluations. Oracle augments this with a formal secure development process, secure coding standards, worldwide training on secure coding practice, exit criteria for security for each product release, and product assessments (ethical hacking) performed by both internal personnel and selected external firms.

OTN: Do customers need to sign up for the Critical Patch Update process?
Davidson: Customers who are already MetaLink subscribers are already signed up for the Critical Patch Update; no action is required. For customers with active support contracts for Oracle licenses, but not yet registered for MetaLink support, you can register for MetaLink access today. Customers without an active support contract will not have access to patches and should contact their account representative.

E-mail this page

Printer View

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy