Patching Processes

    By: Michelle Malcher on Sep 25, 2017

    It comes as no surprise that patching is a very important part of securing the database. Security patches that are released quarterly by Oracle reduce the risk in the environment by closing the door on known vulnerabilities that are addressed in the patch. Since the vulnerabilities are listed, some described more than others, this is information out in the wild. Something that can be picked up on and used to exploit environments.

    While applying patches in a large environment is critical, it is no easy task. This is not only seen in the data from recent breaches, but reported on the Verizon Data Breach Investigations Report (DBIR), that the top-10 known vulnerabilities accounted for 85% of successful exploits.

    As described in a blog from Eric Maurice, Direct of Security Assurance at Oracle, it is no longer an issue with the patches themselves, but with the idea of not patching at all.

    Oracle database provides ways to apply patches with little-to-no downtime, and even though every patch needs to be tested in the environment, Critical Patch Updates (CPU) or Patch Set Updates (PSU) from Oracle contain the security fixes and are produced on a regular basis. With a consistent process, these patches should be picked up and applied in the test and development environments as soon as possible. Communication to application and customer teams should even be easier now with the media coverage of the latest breaches, and by having used vulnerabilities that could have been patched already.

    To begin, here is a high level plan for developing a patching plan (IOUG and Oracle whitepapers and resources have more details on patching process for more information):

    1. Develop a patching plan based on high availability options, backup, and rollout plan from test to production environments.
    2. Read the information with the patch to confirm any pre or post patching steps.
    3. Have a standard test plan to use quarterly on CPU/PSU.
    4. Verify if available as a rolling patch which will work with high availability options.
    5. Communication that patches are going be applied as part of a secure configuration process.
    6. Apply patches and verify.
    7. Large environments – If automation tools are not available, evaluate tools for automation of applying patches or develop a way to include pre/post steps because the OPatch apply steps are the same with different patch numbers.

    Patching is a must-have for the environment to maintain a secure configuration, and to reduce risk of a known vulnerability being exploited in the database. If consistent patching processes are not in place, it is time to have the discussions to design the process, testing and rollout.

    Released: September 25, 2017, 12:07 pm
    Keywords: IOUGenius | patching | Security

    Copyright © 2019 Communication Center. All Rights Reserved
    All material, files, logos and trademarks within this site are properties of their respective organizations.
    Terms of Service - Privacy Policy - Contact

    Independent Oracle Users Group
    330 N. Wabash Ave., Suite 2000, Chicago, IL 60611
    phone: 312-245-1579 | email:

    IOUG Logo

    Copyright © 1993-2019 by the Independent Oracle Users Group
    Terms of Use | Privacy Policy