FAQ: Oracle Security Alerts
1. What is an Oracle Security Alert?
Occasionally, security vulnerabilities are found in Oracle products. Oracle makes every attempt to rectify these vulnerabilities quickly, culminating in the issuance of an Oracle Security Alert, a document containing a brief description of the vulnerability, the risk associated and the degree of exposure, applicable workarounds and/or patch availability.
2. How is the severity of the Security Alert determined?
Please see http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings.
3. Where can I find a list of the Security Alert ever published?
Please see http://www.oracle.com/technology/deploy/security/alerts.htm for all published Security Alerts.
4. Do all the alerts apply to SAP environment?
No. Some security alerts refer to Oracle products that are not used on SAP environment.
Here is the list of Security Alerts that can affect the SAP environment:
- Oracle Security Alert #29 SAP Note 497127
- Oracle Security Alerts #48 - #51 SAP Note 598121
- Oracle Security Alert #54 SAP Note 619303
- Oracle Security Alert #57 SAP Note 649353
- Oracle Security Alert #58 SAP Note 653382
- Oracle Security Alert #59 SAP Note 676599
- Oracle Security Alert #59 and #64 SAP Note 709756
- Oracle Security Alert#68 SAP Note 769416
5. Where can I find the patches for Security Alerts?
All patches are located in SAP Service Marketplace. Please refer to the individual note for the exact location.
6. What if the patch is not available at SAP?
Implement the workarounds mentioned on the Alert, if any, and wait until the patch is released by SAP.
7. Can I install oracle patches retrieved from Oracle website?
Please, wait until the patch has been released for us. SAP has to check these patches before releasing them. Oracle does not provide advance notice on security bugs to any customer.
It usually takes about a week before the patch is released by SAP.
8. Which is the latest Oracle Security Alert that could affect SAP?
Security Alert #68. See note 769416.
9. The patch README file mentions that no other bug fix should be installed on the server. What to do if there are bug fixes installed?
This warning is put by Oracle on the README of all one-off patches, because the application of any patch can add risk to the processing environment. One-off patches are not tested as extensively as patchsets. There is always a possibility of a file conflicts with a previous patch that was applied since the last patchset.
10. What is the Oracle Critical Patch Update Program?
Oracle has changed the method and schedule of which they deliver security patch updates and security fixes for all of their products.From 2005, Oracle provide Critical Patch Updates (CPU) for all product offerings on a quarterly schedule.
The comprehensive patches address significant security vulnerabilities and include fixes that customers are likely to apply, or are prerequisites for the security fixes.
CPU patches are cumulative for database products. This means that the database patch in the latest CPU include fixes for all earlier CPUs unless stated otherwise.
11. How SAP handles the Oracle Critical Patch Update Program?
The information about the Oracle Critical Patch Update Program can be found on the note 811174.