Brief introduction to Oracle quarterly critical patch update

Starting January 18, 2005, Oracle plans to provide critical patch updates quarterly. These comprehensive patches, provided through Metalink, will address significant security vulnerabilities, and include fixes that customers may apply or prerequisite procedures for applying security fixes, or both.

OTN: Why does Oracle have to start quarterly critical patch updates?

Davidson: Customers tell us that they prefer to patch the system regularly and systematically. After investigating the many customers in various industries, we found that the quarterly patch update program can release patches in a timely manner to prevent serious vulnerabilities and too frequent patches so that customers cannot keep up with a reasonable balance. Quarterly patch updates make it easier for customers to plan and manage maintenance processes while reducing associated costs. In the case of a given patching cost, a patch is better than many one-off patches, which can cause conflicts or require multiple tests before being applied to a production system.

OTN: What was included in the important patch update on January 18?

The important patch update released on the davidson:2005 year of January 18 contains fixes for vulnerabilities in Oracle databases, Oracle application servers, Oracle Collaboration suites, and Oracle E-Business suites. This comprehensive patch also contains the prerequisite fixes for hotfixes and/or security fixes that customers may want to apply.

OTN: What is the new "risk Matrix" provided with the important patch update?

An important patch update for davidson:2005 January introduced a risk table as a way for customers to assess the severity of the vulnerabilities addressed. The risk table lists the vulnerabilities that are fixed in important patch updates and describes their characteristics and scope. Other information it contains includes threats to confidentiality, integrity, and availability for each vulnerability, the conditions required to exploit the vulnerability, the affected product components, and so on. The risk table provides customers with information to assess the risks to their systems, prioritize application patches, and perform targeted testing.

OTN: What vulnerabilities are included in an important patch?

Davidson: Important Patch updates address significant vulnerabilities found in Oracle's internal resource discovery and security research community. And, as usual, Oracle will notify all customers of these vulnerabilities at the same time.

What is the update plan for the otn:2005 year and how will the customer be notified?

Davidson: Important patch updates are scheduled to be released to clients in 2005, the closest to the middle of the month: January 18, April 12, and October 18. Oracle customers will be notified of critical patch updates through the Metalink, OTN security alert pages, and Oracle Security RSS feeds.

"In the event of a so-called" imminent bodily harm "in the computer World, Oracle will release unplanned security warnings and release patches for immediate downloading. ”

OTN: But what happens when there are serious problems? Is there a situation where Oracle will be out of the plan?

Davidson: In the event of the so-called "imminent bodily harm" in the computer world-the threat to our clients is so severe and urgent that we cannot wait for the next major patch update-oracle will pass the security warning outside the Metalink release plan, And will release patches for immediate download. These patches will also be included in the next quarterly critical patch update. For the most part, however, important patch updates will be the process of publishing forward.

OTN: What are the product areas that the new process applies to?

Davidson: Important Patch updates may contain patches for Oracle databases, Oracle application servers, Oracle Enterprise Manager, Oracle Collaboration Suite, and Oracle E-Business Suite. Unlike a patch set that is unique to a product family, important patch updates typically include patches for all product lines.

What about the Otn:peoplesoft patch process? How does Oracle handle PeopleSoft patches?

Davidson:oracle is currently reviewing the PeopleSoft security alert process and will decide how to handle the patch for the PeopleSoft product line in the future.

Oracle continues to seek innovative ways to prevent security flaws in software development. ”

What are the details of a specific vulnerability that otn:oracle will provide to customers in a critical patch update?

Davidson: The information provided in an important patch update is designed to meet the customer's need for information related to the vulnerability risk, but does not provide enough detail for the hacker to prevent easy insight into how to exploit the vulnerability.

How does otn:oracle decide what to include in an important patch update?

Davidson:oracle analyzes, records, and assigns priority to each vulnerability according to the severity formula, which takes into account a number of factors, such as the ease of use, the need for special permissions, the type of vulnerability, and so on. Oracle assigns priority to vulnerabilities to ensure that the items considered to be the most important are immediately available in the next update. Important patch updates also include prerequisite fixes that apply security patches themselves to ensure that there is no patch conflict for most customers.

OTN: What if the customer is out of the critical patch update plan or decides not to implement the given update? Will subsequent updates be applied correctly?

Davidson: Important patch updates are applied on the patch set. Oracle includes common prerequisite patches in important patch updates (refers to common one-time patches that many customers require, especially those recommended for E-Business suite customers). This means that customers only need to apply critical patch updates, and most customers will not experience patch conflicts. Important Patch updates for Oracle were accumulated from the last patch set, so you only need to install the latest updates. For example, assume that the client running Oracle 9.2.0.5 did not apply the January 2005 update. By applying the April 2005 update (for Oracle 9.2.0.5 on their platform), they will also get all the patches in the January important patch update.

OTN: What role does an independent software vendor (ISV) play in the critical patch update process?

Davidson: Currently, ISVs are notified in the same way as any customer. Oracle is considering an expansion plan to help ISVs quickly authenticate their software on critical patch updates.

Otn:oracle What measures are being taken to prevent future security vulnerabilities?

Davidson:oracle continues to seek innovative ways to prevent security flaws in software development and to fix these vulnerabilities before the product is delivered. For example, we have implemented code reviews specifically for security, focusing on finding and eliminating the most common security flaws, and we have taken advantage of a large number of source-code scanning tools. We have also introduced a comprehensive course on safe coding practices.

OTN: Are customers concerned about Oracle security?

With 19 independent security evaluations, Davidson:oracle has been unmatched in its efforts to secure product development and market-leading security features and functionality. Oracle databases have been evaluated 17 times for major global security assessment guidelines, which means we have invested more than 1,700 dollars to "check" Oracle security; Oracle Application Server has conducted 2 security evaluations. And Oracle enhances these security measures with a formal security development process, secure coding standards, global training on security coding practices, safety compliance testing for each product version, and product evaluations performed by internal personnel and selected external agencies (hacker attack simulations).

OTN: Does the customer need to register an important patch update process?

Davidson: A customer who is already a Metalink user has already registered for an important patch update, and no action is required. For an active support contract with an Oracle license, but you have not yet registered Metalink support, you can register Metalink access immediately. Customers who do not have an active support contract will not be able to obtain patches and need to contact their customer representatives.