1.5. Oracle Patching
In late August of 2004, Oracle released a long-awaited patchset. This patch-set fixed hundreds of vulnerabilities that had been reported by security researchers such as the author, Esteban Martinez Fayo, Pete Finnigan, Jonathan Gennick, Alexander Kornbrust Stephen Kost, Matt Moore, Andy Rees, and Christian Schaller. Known as Alert 68, it heralded the arrival of a different approach from Oracle with regard to patching and patch release. From then on, every three months, Oracle committed to releasing a critical patch update (CPU). CPUs tend to contain a large number of fixes, and only once (at the time of writing) has a CPU not been re-issued several times — that being the CPU of July 2006. Because of this frequency and volume, it is common to find servers with faulty, outdated patches. As a result, administrators think they are protected when in fact they are not. Oracle has publicly and privately taken a lot of criticism for this.
The tool used for installing Oracle patches on all versions of Oracle except 8.1.7.4 is known as "opatch." The opatch utility reads a file delivered with the patch called $PATCH/etc/config/actions that describes a list of install actions such as what files to copy where. Once the tool is run, it updates a file called $ORACLE_HOME/inventory/ContentsXML/comps.xml. This file contains, among other things, a list of the bug numbers that have been fixed by the patchset. It is not recommended that you rely on the information in this file ...
Get The Oracle® Hacker's Handbook: Hacking and Defending Oracle now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
