Pete Finnigan's Oracle Security Weblog

Alex just emailed me to let me know that he has just released a new paper on his companies web site. This paper is dated 17 April 2005 and is titled "Comments on Oracle Critical Patch Update April 2005".

This is a very interesting analysis of the latest patch fix from Oracle. As Alex said to me "The CPU April 2005 is better than alert 68 but there is still room for improvement.". I have to agree with Alex, Oracle could have provided information like that provided by Alex in this paper. he has analysed the bugs per major version and gave a simple table for DBA's to help decide on whether the patch set should be applied. This is a simple table based on whether the DBA is using certain features or not. So according to Alex for 8.1.7 if you do not use Oracle Internet Directory then you do not need to patch. Alex has done the same for 9iR2 and 10g.

The paper is also significant for a few other reasons which can be summarised as follows:

1. Most DBAs may not need to install patches.

2. Some of the patches are for security issues from 2002/2003.

3. A wrong description in DB10. XMLDB has nothing to do with HTTPS.

4. Additional information on the Oracle HTTP Server security bugs is provided.

The significant thing for me is that out of 24 database server bugs 13 are Oracle HTTP Server (aka Apache) and the oldest of these Apache bugs dates from 2002!! - considering that Alex has about 40 bugs listed on his site that are not yet fixed and Esteban Fayo has over 65. I hope that the next scheduled patch set from Oracle includes fixes for most of these bugs and not a bunch of old Apache bugs (these are still needed of course, but much quicker).

This is an excellent analysis of CPU 12 April and should be read by every DBA. Also I hope that Oracle take note of some of the ideas raised in it and enhance their own future advisories in the same way to aid DBA's who need to deal with these patches.