Shulou(Shulou.com)06/01 Report--

Many people often like to download some vulnerability scanning software, this sweep, that sweep, naturally also sweep a lot of "high-risk loopholes". Are you a little nervous to see these high-risk loopholes? Then after reading this article, you will understand the principle of this Oracle patch, and then suddenly.

For common vulnerability scanning software, Oracle made it clear that it does not authorize and approve the vulnerability scanning results of any third-party software.

In fact, vulnerability scanning software really does not achieve high-end functions, and they do not have the technical ability to find vulnerabilities in Oracle software itself. Many vulnerabilities are fixed by Oracle itself after some *, and corresponding patches are provided to prevent related risks. A lot of scanning software, not only do not achieve high-end, in terms of Oracle vulnerabilities, but do very amateur.

Just by checking the release of Oracle software patches, and whether DB should have the latest Patch, and reporting the information of vulnerabilities, to frighten customers and reflect their own low value.

The work done by these third-party software, corresponding to Oracle, is a very simple check step (one command, two document lists) to solve the problem of whether there are vulnerabilities.

~ one command: $ORACLE_HOME/OPatch/opatch lsinventoryPatch list Quick Reference to Patch Numbers for Database/GI PSU, SPU (CPU), Bundle Patches and Patchsets (Doc ID 1454618.1) and CVE vulnerability information list http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Now that the scanning software scans for vulnerabilities, well, let's see what their advice is. Patches have been patched, of course, but what patches? CPU,CPU,CPU, say the important things three times.

Take a look at the suggestions for the following two vulnerabilities, you need to apply two different CPU to solve this problem (two CPU cannot be hit at the same time, conflict).

Whenever I come across this suggestion, I want to say, "Brother, come out and be professional, will you? to do scanning software, expensive License, will you show me this?"

two。 The following picture is the report provided by the scanning software.

3. Let's take a look at the Patch structure of Oracle, and we'll see. Why the third-party scanning software is unprofessional.

One of Patch: the solution to a bug

Merge Patch: for multiple bug, multiple patch fixes are required. However, the application of patch is originally a file replacement of oracle software, and conflicts will occur when multiple patch modify different locations of the same file. To resolve this conflict, oracle provides Merge patch, which merges the code that two small patch needs to modify into a replacement file.

Bundle patch: patch set, repair multiple Bug. There are no small patches for Oracle on the Windows platform, only this Bundle Patch. Such patches are released periodically (at least once a quarter). This patch set is cumulative, meaning that each Bundle patch contains all previous Bundle Patch. Windows Bundle Patch 16, for example, will contain all the previous 15 Bundle Patch, so we always recommend installing the latest Bundle Patch. The Window Bundle Patch of Oracle's cluster software is the same as that of database software, such as Windows Bundle Patch 16 (patch number 16167942, which can be used either on the cluster or on the database).

To learn the patch number of Windows Bundle Patch, you can refer to the MOS documentation:

Note 161549.1 Oracle Database, Networking and Grid Agent Patches for Microsoft Platforms

Critical Patch Update (CPU): released quarterly, patches used to fix security are cumulative. It has been renamed Security Patch Update (SPU).

Click the link below to see the specific problems fixed by each CPU:

Http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Patch Set Update (PSU): released quarterly to fix some serious problems, including quarterly CPU, is cumulative. Although the 5th bit of the database version is used when describing PSU, such as Database PSU 11.2.0.3.5, in fact, the version of the database will not really change after typing PSU. The version seen in v$version is still 4 digits (11.2.0.3.0), and the fifth bit is still 0. Note that the cluster software and database software without CPU and PSU,Oracle on Windows use different PSU.

~ ~

The official Oracle blog https://blogs.oracle.com/database4cn/oracle-v4 is quoted above

~ ~

4. Here, we are more concerned about the relationship between CPU and PSU. What is it?

The following official description explains their relationship:

Critical Patch Updates (CPU) address security vulnerabilities, Patch Set Updates (PSU) address proactive, critical fixes and security vulnerabilities.

The Patch Set Updates and Critical Patch Updates that are released each quarter contain the same security fixes. However, they use different patching mechanisms, and Patch Set Updates include both security and recommended bug fixes. Consider the following guidelines when you are deciding to apply Patch Set Updates instead of Critical Patch Updates.

Critical Patch Updates are applied only on the base release version, for example 10.2.0.4.0.

Patch Set Updates can be applied on the base release version or on any earlier Patch Set Update. For example, 11.1.0.7.2 can be applied on 11.1.0.7.1 and 11.1.0.7.0.

Once a Patch Set Update has been applied, the recommended way to get future security content is to apply subsequent Patch Set Updates. Reverting from an applied Patch Set Update back to the Critical Patch Update, while technically possible, requires significant time and effort, and is not advised.

For more information on Patch Set Updates, see Note 854428.1, Patch Set Updates for Oracle Products.

Summary: PSU contains CPU, and PSU can be added up, but CPU must be rolled back before it can continue to be applied.

Oracle Support for many years, it seems that customers use PSU to fix problems, very few customers use CPU, after all, the continuity of PSU seems to be better.

5. After we understand the concept, we will look back at the vulnerabilities scanned by the scanning software and how we should solve them.

The URL of the vulnerability query is as follows

Http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html

(if this connection fails, use the following steps to go to the information query page of CVE

OPN.oracle.com-> Topic Centers (www.oracle.com/technetwork/topics/index.html)-> Security-> View the most recent Critical Patch Update Advisory-> Map of Public Vulnerability to Advisory/Alert

6. For example, the following tips for vulnerabilities, according to the discovery time of the vulnerability, combined with the document, according to the repair date, find the corresponding PSU/CPU complex Quick Reference to Patch Numbers for Database PSU, SPU (CPU), Bundle Patches and Patchsets (Doc ID 1454618.1)

You can query the PSU after version 11.2.0.3.13 (released at JAN2015), and the following problems have been fixed.

~ ~ Oracle Database Server JPublisher component code execution vulnerability (CVE-2014-6546)-CVE-2014-6546 Oracle Critical Patch Update October 2014Oracle Database Server JPublisher component code execution vulnerability (CVE-2014-6545)-CVE-2014-6545 Oracle Critical Patch Update October 2014Oracle Database Server Java VM component code execution vulnerability (CVE-2014-6467)- -CVE-2014-6467 Oracle Critical Patch Update October 2014Oracle Database Server SQLJ component code execution vulnerability (CVE-2014-6455)-CVE-2014-6455 Oracle Critical Patch Update October 2014Oracle Database remote security vulnerability (CVE-2014-2406)-CVE-2014-2406 Oracle Critical Patch Update April 2014Oracle Database remote Security vulnerability (CVE-2014- 2408)-CVE-2014- 2408 Oracle Critical Patch Update April 2014Oracle Database Server remote Security vulnerability (CVE-2014- 4236)-CVE-2014- 4236 Oracle Critical Patch Update July 2014Oracle Database Server Jpublisher component vulnerability (CVE-2014- 6477)-CVE-2014-6477 Oracle Critical Patch Update October 2014Oracle Database Server Spatial component local security vulnerability (CVE-2014-0378)-CVE-2014-0378 Oracle Critical Patch Update January 2014Oracle Database Server Core RDBMS component remote security vulnerability (CVE-2013-5858)-CVE-2013-5858 Oracle Critical Patch Update January 2014Oracle Database Server Core RDBMS component remote information disclosure security vulnerability (CVE-2014-0377)-CVE-2014-0377 Oracle Critical Patch Update January 2014Oracle Database Server remote security vulnerability (CVE-2014-4237)-CVE-2014-4237 Oracle Critical Patch Update July 2014Oracle Database Server remote security vulnerability (CVE-2014-4245) -CVE-2014-4245 Oracle Critical Patch Update July 2014Oracle Database Server Java VM component code execution vulnerability (CVE-2014-6560)-CVE-2014-6560 Oracle Critical Patch Update October 2014 vulnerability ~

7. Document database patch version list

Quick Reference to Patch Numbers for Database PSU, SPU (CPU), Bundle Patches and Patchsets (Doc ID 1454618.1)

After reading this article, do you find that those "scanning software" that cheat money are really Low?

One command, two documents. Solve the problem solved by "scanning software" perfectly, and, in the case of PSU and CPU (SPU), the engineers of "scanning software" obviously do not understand the rules of the Oracle game.

Sincere advice: "Big Brother, come out and be professional, okay? do not brush the sense of existence every day, study the internal principles and rules, you will do better."

For Patch, is it necessary to hit? Although the official recommendation of Oracle is the latest version of the database, apply the latest release of PSU.

But for the production system, it is still recommended to be cautious. If you do not encounter serious security risks, and bug problems, it is not recommended to play patch.

The upgrade of PSU is fine. The upgrade of release version must undergo rigorous performance testing, and the concepts of optimizers such as different versions of CBO are different. Do not test the upgrade, is likely to directly lead to the upgraded system is not satisfied, carefully paralyzed. I also really encountered a situation in which the core production system of a factory was upgraded from 11.2.0.2 to 11.2.0.4 and the system was completely unusable and had to be rolled back.

So Patch is a good thing, but you should also "take" it as needed.

In addition, large versions of Oracle software can be downloaded from ww.oracle.com (of course, commercial use is required to pay License fees).

The downloadable version is 11.2.0.1.0, 12.0.1.2.0, 12.2.0.1.0.

Only if you buy an Oracle support service (paid annually) and have a metalink account, you can log in to metalink.oracle.com to download any Patch you need. Without an account, you can't download it.

In addition, just the original factory expert Time'Square beauty correction, after the 12.2 version, PSU changed its name to RU, it seems that I really OUT.

Your support, my motivation, thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.