With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016. Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October). These patches include important fixes for security vulnerabilities in the Oracle Database. The CPUs are only available for certain versions of the Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.
CPU Supported Database Versions
As of the October 2015 CPU, the only CPU supported database versions are 188.8.131.52, 184.108.40.206, and 220.127.116.11. The final CPU for 18.104.22.168 will be July 2016. 22.214.171.124 will be supported until October 2020 and 126.96.36.199 will be supported until July 2021.
188.8.131.52 and 184.108.40.206 CPU support ended as of July 2015.
Database CPU Recommendations
- When possible, all Oracle databases should be upgraded to 220.127.116.11 or 18.104.22.168. This will ensure CPUs can be applied through at least October 2020.
- [22.214.171.124] New databases or application/database upgrade projects currently testing 126.96.36.199 should immediately look to implement 188.8.131.52 instead of 184.108.40.206, even if this will require additional effort or testing. With the final CPU for 220.127.116.11 being July 2016, unless a project is implementing in January or February 2016, we believe it is imperative to move to 18.104.22.168 to ensure long-term CPU support.
- [22.214.171.124 and prior] If a database can not be upgraded, the only effective mitigating control for many database security vulnerabilities is to strictly limit direct database access. In order to restrict database access, Integrigy recommends using valid node checking, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts. Direct database access is required to exploit database security vulnerabilities and most often a valid database session is required.
Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all Oracle databases.