Oracle Critical Patch Update for July 2015

Oracle’s Critical Patch Update is out for July 2015:

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Affected are database versions 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1 and 12.1.0.2.

This is the final patch for both the 11.1.0.7 and 11.2.0.3 releases. The final patch for 12.1.0.1 will be released in January 2016.

The most prominent bug on the risk matrix is CVE-2015-2629 whereby a remote authenticated user can exploit a flaw in the Java VM component to gain elevated privileges.

For the 11.2.0.4 patches, you can apply one of the following:

11.2.0.4 SPU for UNIX: patch 20803583
11.2.0.4.7 PSU for UNIX: patch 20760982
11.2.0.4.17 Quarterly Database Patch for Exadata (July 2015): patch 21142006
July 2015 Quarterly Full-Stack Patch for Exadata: patch 21186703

Don’t forget your Grid Infrastructure patching:

11.2.0.4 PSU for UNIX: patch 20996923

And, of course, ever since those Java bugs were discovered, we should also patch the JVM:

11.2.0.4.4 Database PSU for UNIX: patch 21068539

Happy patching!

Oracle OpenWorld 2015

Submitted my Oracle OpenWorld 2015 presentation earlier.  Today is the last day to submit proposals for presentations or tutorials.

Oracle have extended their deadline for proposals until May 6th!

 

 

DBA 3.0 – How to Become a Real-World Exadata DBA – IOUG Collaborate 2015

According to a Book of Lists survey, 41% of people’s biggest fear is “public speaking”.  To put that into perspective, “death” is the biggest fear for 19%, “flying” for 18% and “clowns” don’t even register (which does make me seriously doubt the survey’s credibility).

I gave my first public presentation at IOUG Collaborate 2015 last week in Las Vegas and I didn’t die.

Why did do make your presentation debut at the second largest Oracle event on the calendar?  Excellent question.

Continue reading →

Oracle’s Critical Patch Update for January 2015

Oracle announced their Critical Patch Update for January 2015 today.

The CPU includes a fix for this troubling exploit in E-Business Suite found by David Litchfield where EBS grants index privileges on the (SYS-owned) DUAL table to the public role by default.

The database exploit with the highest Homeland Security threat level is CVE-2014-6567 which could allow for pre-12c databases on Windows to be “entirely compromised”.  If you’re not running pre-12c databases on Windows, the threat score is noticeably reduced, but still a 6.5.

In other news, 12.1.0.2.3 is out, should you live your life on the bleeding edge of technology.  Quarterly Full Stack Download Patches for Exadata are referenced in the availability note but don’t yet link to public documents; no doubt they will soon.

SSL 3.0 is disabled by default in Java SE – thanks to POODLE (really), it’s now considered obsolete and SSL as a whole should be disabled as organizations “can no longer rely on SSL to ensure secure communications between systems”.

Quite a scary world out there, huh?

MOS reference notes: 1935468.1, 1942215.1

My Collaborate IOUG 2015 Abstract

I will be presenting DBA 3.0 or “How to Become a Real-World Exadata DBA” at Collaborate 2015 – IOUG’s annual user conference – from April 12th to 16th at the Mandalay Bay Resort and Casino in Las Vegas. I submitted this as my abstract:

“DBA resources are more scarce than ever before and it can be very difficult to allocate time on anything but keeping the lights on – even when an organization has made a (substantial) hardware investment in Exadata.

However, if Exadata is treated like any other Oracle database, the promised “extreme performance” will likely be very underwhelming to developers, users and managers and can become unwieldy for DBAs to support.

On the other hand, when an organization configures and supports Exadata properly, they can realize exponential performance improvements in key IT infrastructure, can facilitate better business decisions and may actually reduce infrastructure costs.

The customer has bought a sports car – but might not realize that they haven’t taken it out of second gear (yet).

I will talk about the evolution of Exadata and then get into the “nuts and bolts” of how to support a high-performance Exadata environment as a Production DBA.

I will discuss how to get performance improvements of up to 20x, what NOT to do as an Exadata DBA and how Exadata can become the foundation of your organization’s high-performance enterprise infrastructure.”

I hope to see you in Las Vegas!

UKOUG 2014 – Dan Norris – Exadata Security Best Practices

Dan Norris of the Maximum Availability Architecture team gave what sounded like a very interesting presentation at UKOUG 2014. There seemed to be a lot of really cool stuff at this year’s event, which is to be expected as I no longer reside in the UK!

I encourage you to take a look at the slides, but also at the interesting links he provided:

• Exadata consolidated databases and roles.
• Enterprise security assessment.

Naturally, he also quoted a plethora of My Oracle Support notes – some of the greatest hits and some which you might not have seen before:

• Responses to common Exadata security scan findings (Doc ID 1405320.1)
• Oracle Sun Database Machine X2-2/X2-8, X3-2/X3-8 and X4-2 Security Best Practices (Doc ID 1071314.1)
• How to change OS user password for Cell Node, Database Node , ILOM, KVM , Infiniband Switch , GigaBit Ethernet Switch and PDU on Exadata Database Machine (Doc ID 1291766.1)
• Exadata Database Machine and Exadata Storage Server Supported Versions (Doc ID 888828.1)
• Information Center: Oracle Exadata Database Machine (Doc ID 1306791.2)

Happy reading!

Updated Oracle Database Release Schedule

FYI, the release schedule in MOS (742060.1) was updated last week. Basically:

12.2.0.1 – expected in January 2016.
12.1.0.2 – terminal release of 12.1, in Premier Support until the summer of 2018.
12.1.0.1 – in Premier Support until July 2015, when support ends.
11.2.0.4 – in Premier Support/Free Extended Support until January 2016.
11.2.0.3 – in Premier Support/Free Extended Support until August 2015, when support ends.
11.1.0.7 – in Extended Support until August 2015, when support ends.
10.2.0.5 – in Limited Extended Support until July 2015, when support ends (finally!)

My thoughts:

Oracle must be very confident in the stability of 12.1.0.2 to make it the terminal release for 12.1 already.

I suspect 11.2.0.4 may get an extension on its free Extended Support until 12.2 is “stable” and available for all platforms, at the very least.

It would also be highly unusual for Oracle to only have one version (12c) in Premier Support at one time. Making customers pay for being on the terminal release of {LATEST – 1} will be very unpopular considering the fundamental changes found in 12c.

In hindsight, I think Oracle might have been better off if they had given the “12c Release 2” moniker to 12.1.0.2 given the extra features provided (In-Memory database, etc). This might have also convinced the DBA community to bite at 12.1.0.2 instead of “waiting until Release 2, Patchset 1” before upgrading.

Major Data Exploit Patched by January 2014’s CPU

Today, an Oracle security blog revealed a “monster bug” (actually, TWO of them) which allows a user to UPDATE data in a table in another schema that they only have the SELECT privilege to.

In case you’re wondering, the author did inform Oracle a year ago – and has sat on it since, so a huge amount of kudos to them! This is gratuitously stolen from that blog.

The user has to create a “simple” view based on the table and then a non-“simple” (such as an aggregated) view based on the first view to override the table’s object privileges.

By exploiting this bug, the user may be able to cover their tracks and to obtain DBA access.

This is known to exist in all “current” versions of the database (11g and 12c, not clear if it includes 9i or 10g). The bug has been fixed with the January 2014 (and onwards) CPU for 11g and 12c, but there is no fix for earlier versions (yet, if ever).

A working example can be seen after the break – DO NOT RUN THIS IN PRODUCTION!!!

Continue reading →

CPU and QFSDP for April 2014 Availability

I’m sure you probably got the memo that the Critical Patch Update for April 2014 is now available.

For non-Exadata databases, this patch upgrades your database software to:

• 11.2.0.3.10
• 11.2.0.4.2
• 12.1.0.3.0

For Exadata machines, the associated Quarterly Full Stack Download Patch for April 2014 (Patch 18370231) upgrades your software to:

• Exadata Storage Server: 11.2.3.3.0
• DB Node Update Utility: 3.20
• PDU Firmware: 1.06
• Database/Grid Infrastructure: 11.2.0.3.23 (Bundle Patch 23)
• OPatch: 11.2.0.3.6
• OPlan: 12.1.0.1.5

It is also recommended that your Enterprise Manager is upgraded to 12.1.0.3 and that you apply the latest Exadata and database plugins (12.1.0.5).

While browsing through MOS for details on this patch, I found this neat reference note:

• Quick Reference to Patch Numbers for Database PSU, SPU(CPU), Bundle Patches and Patchsets (MOS 1454618.1)

A very handy reference point for all the patch numbers and download links. Of course, the best thing about it is that, you don’t have to go searching for the correct patch number yourself anymore 🙂