IOUG Update: Oracle Security Patching

Was one of your New Year resolutions to get the security patches applied in a timely and efficient manner? Oracle's quarterly Critical Patch Update was released yesterday, and IOUG recommends that you apply security patches on a regular basis in order to maintain the security posture of your Oracle environment. Having procedures already in place will make a rollout of these patches easier allowing for pre-checks of the environment and databases, applying the patches, testing and validations and any post-scripts that should run.

If you already apply patches regularly, then this quarter should be no different. You may take this new year to validate any test plans to make sure that they are checking what they need to or upgrade to newer releases. Also make sure that you are reviewing the release notes to see if there are any pre- or post- checks that are necessary and include these with the patching.

The January 2012 Critical Patch Update includes content related to the much publicized "growth in the System Change Number (SCN)".   Oracle provided information about this issue on My Oracle Support document 1376995.1.  The note provides instructions for a pre-check to assess the risk to the databases. Along with checks, there might be a need to run some additional testing. One way to test is to look at the backups with a restore process to validate SCN values and recoverability which is part of a best practice for database administrators. With these tests and test plans for applying the Patch Set Updates (PSU) or traditional Critical Patch Update patches, the vulnerabilities can be validated with appropriate fixes of the environment. Going forward, users should rely on the checks discussed in the My Oracle Support (MOS) document and regularly review the alert logs once the patches are applied.

Yesterday, InfoWorld released an article related to Oracle customers installation of this patch.  Knorr, InfoWorld Editor in Chief stated, "Oracle provided us with a download of the patch in advance of its release today. Although we've run preliminary tests and confirmed that the patch prevents some forms of manipulation of the SCN, we do not know how Oracle's remedy will fare in complex, interconnected database environments."  They are requesting users to contact them based on their experiences.  Here is a link to the article .

There are a couple of white papers out there for members to access on best practices for applying PSUs and CPUs on the Oracle security pages, and in the IOUG paper repository for your additional reference.

For additional information or to get involved in IOUG Volunteer Security efforts contact Michelle Malcher, IOUG Director at