Vendor supported software is evaluated and patched against newly found vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-5658	DG0001-ORACLE11	SV-24339r1_rule	VIVM-1	High

Description
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack.

STIG	Date
Oracle 11 Database Installation STIG	2014-01-14

Details

Check Text ( C-28293r1_chk )
From SQL*Plus: select banner from v$version where banner like 'Oracle%'; Currently supported Oracle 11g versions as of 10/2009 are: 11.1 - Premier Support for 11.1 ends 31 Aug 2012 Extended Support for 11.1 available after 31 Aug 2012 Sustaining Support for 11.1 available after 31 Aug 2015 11.2 - Premier Support for 11.2 ends 31 Jan 2015 Extended Support for 11.2 ends 31 Jan 2018 Sustaining Support for 11.1 available after 31 Jan 2018 If the Oracle version is not in the list above or is not supported with a purchased extended support contract, this is a Finding. Note: Sustaining Support does not include security updates. Any product in Sustaining Support is a Finding. A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). Currently supported patched versions as of 6/2010 are: 11.2.0.1.0 (Select Platforms) 11.1.0.7.0 If the Oracle patchset level is less than that listed above, this is a Finding.

Check Text ( C-28293r1_chk )

From SQL*Plus:
select banner from v$version where banner like 'Oracle%';

Currently supported Oracle 11g versions as of 10/2009 are:

11.1 - Premier Support for 11.1 ends 31 Aug 2012
Extended Support for 11.1 available after 31 Aug 2012
Sustaining Support for 11.1 available after 31 Aug 2015

11.2 - Premier Support for 11.2 ends 31 Jan 2015
Extended Support for 11.2 ends 31 Jan 2018
Sustaining Support for 11.1 available after 31 Jan 2018

If the Oracle version is not in the list above or is not supported with a purchased extended support contract, this is a Finding.

Note: Sustaining Support does not include security updates. Any product in Sustaining Support is a Finding.

A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process.

Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions).

Currently supported patched versions as of 6/2010 are:

11.2.0.1.0 (Select Platforms)
11.1.0.7.0

If the Oracle patchset level is less than that listed above, this is a Finding.

Fix Text (F-22570r1_fix)
Upgrade to a supported Oracle version. Purchase an Oracle Extended Support Contract where required. See http://www.oracle.com/technology/support/patches.htm for a definitive list of version patch sets for Oracle DBMS software. See http://www.oracle.com/support/library/brochure/lifetime-support-technology.pdf for Oracle support policies and timelines.