By Eric P. Maurice-Oracle on Dec 14, 2011
Hi, this is Eric Maurice again.
On October 18th 2011, Oracle released the October 2011 Critical Patch Update. As usual, this Critical Patch Update included a number of fixes across a wide range of products, including the Oracle Database. In the blog entry summarizing the Critical Patch Update, I highlighted the fact that the number of fixes released for the Oracle Database were expected to remain low and made the following statement:
“As the Oracle Database Server code base has matured, Oracle’s ongoing security assurance activities have weeded out many of the vulnerabilities that were contained in the code base. Unless circumstances change drastically (as a result of, for example, the discovery of new exploit vectors), we expect that the number of Oracle Database Server vulnerabilities fixed in each Critical Patch Update will remain at relatively lower level than previously experienced. This is not to say that Oracle is no longer fixing vulnerabilities in the Oracle Database Server product suite, but that in fact, the number of security defects to fix has generally decreased over the last 3 to 4 years. In addition our secure coding efforts have also helped reducing the number of vulnerabilities written into new code. In a future blog entry, we will discuss the various patching options available to Oracle Database Server customers to take care of the security and non-security fixes in their Oracle Database Server deployments.”
In today’s follow-up, we are going to discuss the various patching options available to Oracle Database customers and go over the security benefits resulting from keeping up with the most recent releases (patch sets and major releases) of the Oracle Database. Note that many of the concepts discussed in this blog are also applicable for Oracle Fusion Middleware and Oracle Enterprise Manager products.
In order to provide the best security posture to all Oracle customers, Oracle’s security fixing policies generally require Oracle to fix security vulnerabilities in severity order: in other words, Oracle tries to fix the most severe vulnerabilities first.
Oracle provides Database security and non-security fixes in major releases, Patch Sets, and Patch Set Updates (PSUs), whereas traditional Critical Patch Update patches (not PSUs) include only security fixes (more details about the content of each of these types of patches follow).
Let’s have a more detailed look into the content that goes in the different types of Oracle patches and updates and how this content might affect an organization’s patching strategy.
Traditional Critical Patch Update patches include only security vulnerability related content. They generally provide fixes for higher risk security vulnerabilities. Oracle’s focus with these patches is to address higher risk issues while ensuring that customers’ environments remain stable after patch application. These patches include fixes for vulnerabilities, which can be directly exploitable, e.g. buffer overflows, and which could ultimately result in the takeover of the targeted system.
Traditional Critical Patch Update patches typically do not address issues that cannot be directly exploited (e.g. as violation of least privilege policy and other security in depth fixes) unless they could aggravate the impact of another directly exploitable issue. They also do not provide fixes for issues for which there are no exploits but which are otherwise against safe secure coding principles. For example, we routinely fix issues such as specific uninitialized variables, which have no known security exploits, but for which we are concerned that someone might find a way to exploit.
Traditional Critical Patch Update patches also do not include fixes for certain exploitable issues that have very low risk when the fixes could result in customer applications failing to work properly without modification. They also do not include fixes for exploitable issues that are very low risk (such as when the exploitation window is very narrow, for example when limited to a short period during installation). In addition, Critical Patch Updates typically do not include fixes that require large scale code modification or for which there is no reasonable patching mechanism.
Again, Oracle’s focus with the traditional Critical Patch Update patches is to address higher risk issues while ensuring that their application will not cause customers to experience significant impact in production.
Patch Set Updates (PSUs) are another type of bundled patches distributed under the Critical Patch Update program. In addition to containing all the fixes contained in the traditional Critical Patch Update bundles, PSUs also contain non-security fixes for issues that have been reported by multiple customers.
These non security PSU fixes are designed to provide high-reward / low-risk fixes, and are an expression of Oracle’s overall proactive support strategy. Before their inclusion in a PSU, Oracle will have determined that these non-security fixes have already been installed at a number of customer sites with no reported negative effects. A Patch Set Update is denoted by incrementing the 5th place in the version string (e.g. Oracle Database Server 22.214.171.124.1).
Next, let’s have a look at Patch Sets. A Patch Set release is identifiable by the 4th place in the version string (For example, 126.96.36.199.0, 188.8.131.52.0). Patch Sets contain all the PSU fixes as well as additional content. This additional content includes reworked security PSU fixes to make them more extensive or to cover more in-depth issues. It can also include additional fixes for security in-depth issues, including fixes for issues such as uninitialized variables, and other issues related to unsafe coding practices, which are not known to be exploitable but nevertheless have been fixed by Oracle to prevent their use in case they were ever discovered by an attacker.
Major releases (denoted by the number before and the digit after the “dot” in the version number, e.g. for Oracle Database 11g Release 1 the major release would be the "11.1" in the patch set 184.108.40.206) contain all the above Patch Set fixes as well as additional reworked security fixes to make them more extensive or to cover more in-depth issues. Major releases also contain many additional fixes for security in-depth issues as well as major architectural fixes that improve security in a comprehensive manner. In addition to providing new product features, major releases will also contain fixes that were not delivered in Patch Sets or PSUs because of Oracle’s concerns about negative impact on existing applications without code or significant configuration changes.
Note again that because of Oracle’s policies governing the sequencing of the security fixes, it is possible that certain security fixes will be included in Patch Sets or product releases distributed before the relevant Critical Patch Update. In other words, in some instances the fix for a given vulnerability may be included in a Patch Set or a product release, before the vulnerability is fixed in a consequent Critical Patch Update. Furthermore, though we try to avoid such a situation, there are instances where security fixes cannot be backported to previous but still supported releases because the nature of the fix is too complex, may require an in-depth re-engineering of the code, or may require extensive code or configuration changes by the customers. In such instances, the security fixes may only be available through a patchset or more likely through a major release.
Oracle recommends that, to optimize their security posture, as well as to fully take advantage of Oracle’s proactive support model (through the release of low risk fixes for commonly encountered issues), customers have a plan that includes regular patch sets and release upgrades coupled with quarterly patch set updates. Such upgrades are provided without additional charge to customers with Oracle Premier Support.
These upgrades provide not only critical security benefits, even in instances where customers apply ALL the Critical Patch Updates in a timely fashion, but also provide tangible production benefits as customers on recent releases are less likely to experience production issues, that have been reported by other customers, and for which Oracle produced a fix.
For more information:
Oracle Security Fixing policies are explained on the Oracle Software Security Assurance web site at http://www.oracle.com/us/support/assurance/fixing-policies/index.html.
My Oracle Support Note 854428.1 "Patch Set Updates for Oracle Products" is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=854428.1
The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Oracle Technical Support policies are located at http://www.oracle.com/us/support/policies/index.html