Oracle releases a Critical Patch Update (CPU). How fast should you mobilize to apply it?

Don’t panic. Use the information available on Oracle’s web site to determine the degree to which your environment is affected.

4 times a year, Oracle releases a CPU. Here’s what the current notification looks like:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html

When reviewing the notification, take a look at the risk matrices. Here’s the one for database:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html#AppendixA

This matrix is using an industry standard security risk assessment rating system.

You will find that things are itemized according to products. If you are not using the products mentioned, your risk is lowered. Also, the matrix itemizes the significance of each vulnerability. The columns in the matrix are fully explained here:

http://www.first.org/cvss/cvss-guide.html

By analyzing the findings, you can make an informed choice about what threat the particular CPU poses to your Oracle environment.

Advertisements