STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017: STIGQter: STIG Summary: Oracle Database 11g Installation STIG Version: 8 Release: 20 Benchmark Date: 28 Jul 2017:SV-24342r1_rule
V-5659
DBMS security patch level
DG0003-ORACLE11
CAT II
10
Apply the most current Oracle Critical Patch update to the database software when available.
Follow vendor-provided patch installation instructions.
Oracle provides patches in service patchsets, Critical Patch Updates (CPU) as well as providing patch set exceptions for installed DBMS products.
A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 11.1.0.6 to 11.1.0.7) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). This is covered in Check DG0001.
Oracle security patches are published quarterly in January, April, July and October as Critical Patch Updates (CPU). CPUs may be viewed at:
http://www.oracle.com/technology/deploy/security/alerts.htm
Most Oracle CPU patches are also listed in DoD IAVM alerts.
Patch set exceptions are fixes per a particular DBMS product based on reported bugs and do not undergo the rigorous QA and certification process that patchsets do. These are installed as needed to correct reported or observed bugs in Oracle DBMS products.
This check applies to the application of the CPU patches only. You must comply with Check DG0001 prior to applying Oracle Critical Patch Updates.
For Oracle Critical Patch Updates (CPU):
1. Go to the website http://www.oracle.com/technology/deploy/security/alerts.htm.
2. Click on the latest Critical Patch Update link.
3. Click on the [Database] link in the Supported Products and Components Affected section.
4. Enter your Oracle MetaLink credentials.
5. Locate the Critical Patch Update Availability table.
6. Identify your OS Platform and Oracle version to see if there is a CPU release.
7. If there is none, this check is Not a Finding. If there is one, note the patch number for the steps below.
View the installed patch numbers for the database using the Oracle opatch utility.
On UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep [PATCHNUM]
On Windows systems (From Windows Command Prompt):
%ORACLE_HOME%\OPatch\opatch lsinventory –detail | findstr [PATCHNUM]
Replace [PATCHNUM] with the Patch number noted above. If the output shows the installed patch is present, this check is Not a Finding. No output indicates that the patch has not been applied and is a Finding.
V-5659
False
DG0003-ORACLE11
Oracle provides patches in service patchsets, Critical Patch Updates (CPU) as well as providing patch set exceptions for installed DBMS products.
A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 11.1.0.6 to 11.1.0.7) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). This is covered in Check DG0001.
Oracle security patches are published quarterly in January, April, July and October as Critical Patch Updates (CPU). CPUs may be viewed at:
http://www.oracle.com/technology/deploy/security/alerts.htm
Most Oracle CPU patches are also listed in DoD IAVM alerts.
Patch set exceptions are fixes per a particular DBMS product based on reported bugs and do not undergo the rigorous QA and certification process that patchsets do. These are installed as needed to correct reported or observed bugs in Oracle DBMS products.
This check applies to the application of the CPU patches only. You must comply with Check DG0001 prior to applying Oracle Critical Patch Updates.
For Oracle Critical Patch Updates (CPU):
1. Go to the website http://www.oracle.com/technology/deploy/security/alerts.htm.
2. Click on the latest Critical Patch Update link.
3. Click on the [Database] link in the Supported Products and Components Affected section.
4. Enter your Oracle MetaLink credentials.
5. Locate the Critical Patch Update Availability table.
6. Identify your OS Platform and Oracle version to see if there is a CPU release.
7. If there is none, this check is Not a Finding. If there is one, note the patch number for the steps below.
View the installed patch numbers for the database using the Oracle opatch utility.
On UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep [PATCHNUM]
On Windows systems (From Windows Command Prompt):
%ORACLE_HOME%\OPatch\opatch lsinventory –detail | findstr [PATCHNUM]
Replace [PATCHNUM] with the Patch number noted above. If the output shows the installed patch is present, this check is Not a Finding. No output indicates that the patch has not been applied and is a Finding.
M
Database Administrator
1368