tag:blogger.com,1999:blog-4088979.post4905380920358903933..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Thoughts on Oracle Non-PatchingRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4088979.post-54092324127666900142008-01-23T18:14:00.000-05:002008-01-23T18:14:00.000-05:00There is alot more that needs to be taken into con...There is alot more that needs to be taken into consideration when patching Oracle Databases then just the database. If you happen to be running Oracle Apps, SAP, Baan or one of the other behemoth Application suites then there might be full system testing in order to get the patch in. Now that can take quite a bit of not only the DBA's time but also Application support and Business process Testing. I certainly will not say that not applying security patches is not important but when you have to get Application Support and Business users involved they tend to shy away from doing the testing as they feel this Patch does not effect them. This can bring the morale of the DBA down as there stuff is not deemed critical and takes the back burner. How many DBA's out there have wanted to upgrade there databases only to be shot down becuase the app people and the business does not want to test. The DBA can do only so much testing on there end to mitigate the risk of patching. This also apply's to DB2 and other Databases as well.Mark McKinnonhttps://www.blogger.com/profile/06597353327384503465noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91500017735328160122008-01-21T12:16:00.000-05:002008-01-21T12:16:00.000-05:00Patching Oracle can be dangerous if you are patchi...Patching Oracle can be dangerous if you are patching a production database server. No one should be patching a production server though. Patch Oracle QA and test test test.<BR/><BR/>Patching Oracle is a much slower and meticulous process though.Joehttps://www.blogger.com/profile/14998755598722686389noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-11861685069178334322008-01-20T09:38:00.000-05:002008-01-20T09:38:00.000-05:00Also, Oracle patches are much more difficult to ge...Also, Oracle patches are much more difficult to get ahold of than, say Microsoft patches. One must have an Oracle Tech Net / Metalink account, and I could find no direct / easy way through the Oracle site to navigate to the CPU download page. There have been times that, in order to download a patch, I had to input the license number of the Oracle installation that I was running. In large bureacratic organizations, this information may not be immediately available. And finally, it is often difficult to find the patch you need -- 9i vs 10g? 9iAS vs 9i? SPARC or Intel? Is my 9i database still supported? Do I need to drop thousands on an upgrade in order to be secure?<BR/><BR/>Also I think that buck-passing has a lot to do with this problem. The "it's not my job" mentality is pervasive; a lot of DBAs that I've spoken to want to do nothing more than to keep their database / application up and running. <BR/><BR/>Which brings me to the next point that there is also the mentality that "if it ain't broke don't fix it". If the application or database is working fine without the patch, and there is even the slightest chance that applying the patch could cause problems, then the DBA will not apply the patch. Many of the DBAs I've met just don't have the in-depth knowledge required to troubleshoot problems that could come up. They know how to add users, create tables, change permissions, perform backups and other maintenance. But if you get outside those lines, you're asking for trouble.Anonymoushttps://www.blogger.com/profile/15858347243894167105noreply@blogger.com