The Oracle Global Product Security Blog

Hello, this is Eric Maurice again.

In most IT environments, software patching is an arduous and unrewarding task.  Often referred to as a �necessary evil�, patches do not generally reward organizations with immediately measurable benefits, but they are � nevertheless � critical to maintaining an organization�s security posture.

Oracle supplies a utility to assist customers with the process of applying its security patches, known as Critical Patch Updates (CPUs).  The One-Off Patch Installer, �OPatch�, is a Java-based utility that works alongside the Oracle Universal Installer.  OPatch is available on all the operating systems for which Oracle releases software.  We recently recorded a short Internet seminar that provides technical tips on using OPatch.  The Internet seminar is available on the Oracle Software Security Assurance Resource Library page. 

Over the years, OPatch has been enhanced to include a number of advanced features to help alleviate the burden typically associated with patching complex production systems.  For example, OPatch can build a report of all installed Oracle products and their respective patch levels.  The tool can also check the preparedness of the environment and the absence of conflicts before the application of a Critical Patch Update.  OPatch also supports automated rollback to remove previously applied patches and update the product inventory so it remains synchronized.  Most importantly, OPatch�s �silent installation� option, flexible commands, and support of three different modes of installation in Real Application Clusters (RAC) gives customers the ability to apply security patches within short maintenance windows to allow maximum availability of their production environment. 

A flexible and scalable tool, OPatch is a robust utility for the application of Oracle�s Critical Patch Updates.  In addition to listening to the Internet Seminar, you can find more detailed technical information on OPatch in the Oracle Universal Installer and OPatch User�s Guide.  In addition, the recently updated Critical Implementation Practices white paper provides numerous technical tips to help organizations plan for the application of the Critical Patch Updates in their environment.

Hello!  This is Dennis MacNeil.  After 10 years working with Java technology and developers, I�ve changed my focus to databases and security.  Today, I am a product marketing director for database security products, including Oracle Advanced Security, Oracle Database Vault and the upcoming Oracle Audit Vault.  For my first blog entry about database security, I�d like tell you about some of the security enhancements currently included with Oracle 11g beta default configuration.

An important aspect of Oracle Software Security Assurance is the Secure Configuration Initiative.  Originally called "security by default", this initiative has been ongoing since Oracle8i to make it easier for customers to install and configure the Oracle database with an enhanced security posture.  Enhancements over the years have included locking and expiring of default accounts on install, optional installation of the sample schemas, and changes to the default role connect.

As Chad Hughes explained in his recent blog entry, Oracle�s configuration hardening initiative is designed to enable more secure deployment of Oracle products by non-security experts while maintaining backward compatibility and support for other Oracle and third-party applications.  Oracle 11g, currently released in beta form, is planned to incorporate a number of secure configuration enhancements.  With Oracle 11g beta, Oracle plans to introduce the option for customers to choose between a 10g-like configuration (if they are concerned with backward compatibility) and a security-enhanced configuration.  The enhancements in the secure configuration provided by Oracle 11g beta are planned to fall into three categories:

1)      New default audit settings

2)      New password management mechanisms

3)      New access control capabilities

As opposed to previous releases of the Oracle database where general database auditing was "off" by default, logging is intended to be enabled by default with the Oracle Database 11g beta secure configuration.  Notable performance improvements are planned to be introduced to reduce the performance degradation typically associated with auditing.

With Oracle 11g beta, passwords are expected to also become case sensitive.  This and other changes should result in better protection against brute force attacks and password guessing scenarios.  For example, in addition to limiting the number of failed login attempts to 10 (default configuration in 10gR2), Oracle 11g beta�s planned default settings should expire passwords every 180 days, and limit to seven the number of times a user can login with an expired password before disabling access.

Oracle 11g beta default configuration is planned to also introduce improved security for several utl* packages, such as UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, etc.  These packages no longer allow default access to ports.  Note that SYS and XDB schemas specifically remain excluded from this kind of restriction.  As a result of this change, database administrators are expected to be able to specify what network services (network hosts and ports) database users are allowed to access when using the packages.

As previously indicated, customers, who may be concerned about implementing the enhanced default configuration of 11g beta should be able to choose a 10gR2-like configuration during the initial setup, in order to test backward compatibility with other applications and validate its compliance with their existing security policies.

Though more secure configurations by default can help organizations enhance their security posture, they do not replace sound security practices throughout the IT infrastructure.  Additional security activities such as periodic security audits, ongoing monitoring of network transactions, and timely application of the Critical Patch Updates are critical requirements to minimize risk.  To help customers meet these objectives, the Resource Library located on the Oracle Software Security Assurance site provides links to numerous technical security resources such as the database security checklist. 

There are a lot of other really interesting security related features expected to included in Oracle 11g, I�ll tell you more about them in future blog entries.