Ask any Oracle DBA and they’ll tell you that the bane of their existence — well, one of them at least — is keeping up with Oracle’s continuous stream of patches and upgrades. As we reported last week, the latest volley of patches included 51 fixes to security vulnerabilities in their array of database and app products. This quarterly CPU (critical patch update) included:
- 27 fixes for the Oracle Database 10g and 9i, five of which may be exploited remotely without the need for a username and password. The fixes address flaws in the core relational database management system, SQL execution, Oracle Database Vault, and advanced queuing.
- 11 security fixes plug holes in Oracle Application Server 10g release 2 and 3, seven of which may be remotely exploitable without the need for a username and password. The fixes repair flaws in Oracle HTTP Server, Oracle Portal, Oracle Single Sign-On and Oracle Containers for J2EE.
- 8 flaws in Oracle E-Business Suite 11i applications were included. One of the vulnerabilities can be remotely exploited by an attacker without authentication. Areas affected include Oracle Marketing, Oracle Quoting, Oracle Public Sector Human Resources, Oracle Exchange and Oracle Applications Manager.
- 2 flaws were patched in Oracle Enterprise Manager and three security fixes were released for Oracle PeopleSoft Enterprise products. The PeopleSoft Human Capital Management software and PeopleTools are affected.
Will all these fixes actually work? Will they break other unrelated systems? Welcome to the life of the DBA.
The most common complaint I hear when talking to DBAs is about patching and upgrading. What I don’t hear as much are suggestions about how to improve the process. Does Oracle need to implement automatic updating like Windows Update? Release better tested products? Or is the number of bug fixes manageable? Let’s hear your thoughts!