UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The latest security patches should be installed.


Overview

Finding ID Version Rule ID IA Controls Severity
V-5659 DG0003-ORACLE11 SV-24342r1_rule VIVM-1 Medium
Description
Maintaining the currency of the software version protects the database from known vulnerabilities.
STIG Date
Oracle 11 Database Installation STIG 2014-01-14

Details

Check Text ( C-26060r1_chk )
Oracle provides patches in service patchsets, Critical Patch Updates (CPU) as well as providing patch set exceptions for installed DBMS products.

A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 11.1.0.6 to 11.1.0.7) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). This is covered in Check DG0001.

Oracle security patches are published quarterly in January, April, July and October as Critical Patch Updates (CPU). CPUs may be viewed at:

http://www.oracle.com/technology/deploy/security/alerts.htm

Most Oracle CPU patches are also listed in DoD IAVM alerts.

Patch set exceptions are fixes per a particular DBMS product based on reported bugs and do not undergo the rigorous QA and certification process that patchsets do. These are installed as needed to correct reported or observed bugs in Oracle DBMS products.

This check applies to the application of the CPU patches only. You must comply with Check DG0001 prior to applying Oracle Critical Patch Updates.

For Oracle Critical Patch Updates (CPU):

1. Go to the website http://www.oracle.com/technology/deploy/security/alerts.htm.
2. Click on the latest Critical Patch Update link.
3. Click on the [Database] link in the Supported Products and Components Affected section.
4. Enter your Oracle MetaLink credentials.
5. Locate the Critical Patch Update Availability table.
6. Identify your OS Platform and Oracle version to see if there is a CPU release.
7. If there is none, this check is Not a Finding. If there is one, note the patch number for the steps below.

View the installed patch numbers for the database using the Oracle opatch utility.

On UNIX systems:
$ORACLE_HOME/OPatch/opatch lsinventory –detail | grep [PATCHNUM]

On Windows systems (From Windows Command Prompt):
%ORACLE_HOME%\OPatch\opatch lsinventory –detail | findstr [PATCHNUM]

Replace [PATCHNUM] with the Patch number noted above. If the output shows the installed patch is present, this check is Not a Finding. No output indicates that the patch has not been applied and is a Finding.
Fix Text (F-16405r1_fix)
Apply the most current Oracle Critical Patch update to the database software when available.

Follow vendor-provided patch installation instructions.