Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Is it just me or is Orablogs not reachable again?"] [Next entry: "My site and Blog are available again"]

OPatch, wherefore art thou?

Josh pointed me at a new news article written by Shawna McAlearney this evening titled,289142,sid14_gci1115321,00.html - (broken link) OPatch, wherefore art thou? that was published yesterday 15 August 2005. This is an interesting article that talks about the issues of the recent patches that do not work or patches that are incomplete - e.g. fixes that are supposed to be fixed are in fact not.

The article features comments from David Litchfield and makes a good point about regulatory requirements to apply security patches promptly. He also mentions that he will soon release a paper on problems with using OPatch, Oracles patch application tool and also its tool for verifying the patch level of a database. He goes on to discuss the problems of incomplete patches, patches that fail to fix the flaws, the problems with not running post installation procedures, problems with OPatch not updating the registry properly and a problem with rolling back patches where the patch is removed but the inventory is not updated. This leads to the situation where a database looks to be patched but in fact it is not.

This looks like it will be a very interesting paper when released. This article also starts to raise serious worries about the state of the Oracle patching process and tools.