An upgrade/migration plan should be developed to address an unsupported DBMS software version.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4758	DG0002-ORACLE10	SV-24340r2_rule	VIVM-1	Medium

Description
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack. Developing and implementing an upgrade plan prior to a lapse in support helps to protect against published vulnerabilities.

STIG	Date
Oracle Database 10g Installation STIG	2014-04-02

Details

Check Text ( C-26058r2_chk )
From SQL*Plus: select substr(version,1,4) from v$instance; If the Oracle version is at 10.2 or less, review evidence that an upgrade/migration plan has been documented. If it is not, this is a Finding. For any version where Oracle Extended Support ends within 6 months, review evidence than an upgrade to a supported version is in progress. If it is not, this is a Finding. Product: Oracle Database Highest Supported Version: 11.2 (See Oracle MetaLink Note 161818.1 for Oracle RDBMS Release support status) Product Versions / Premier Support Ends / Extended Support Ends: 11.2.0.X / Aug 2012 / Aug 2015 11.1.0.X / Aug 2012 / Aug 2015 10.2.0.X / Jul 2010 / Jul 2013 10.1.0.X / Jan 2009 / Jan 2012 (NOTE: 10.1.0.5 is terminal patch set)

Check Text ( C-26058r2_chk )

From SQL*Plus:
select substr(version,1,4) from v$instance;

If the Oracle version is at 10.2 or less, review evidence that an upgrade/migration plan has been documented. If it is not, this is a Finding.

For any version where Oracle Extended Support ends within 6 months, review evidence than an upgrade to a supported version is in progress. If it is not, this is a Finding.

Product: Oracle Database
Highest Supported Version: 11.2

(See Oracle MetaLink Note 161818.1 for Oracle RDBMS Release support status)

Product Versions / Premier Support Ends / Extended Support Ends:

11.2.0.X / Aug 2012 / Aug 2015
11.1.0.X / Aug 2012 / Aug 2015
10.2.0.X / Jul 2010 / Jul 2013
10.1.0.X / Jan 2009 / Jan 2012 (NOTE: 10.1.0.5 is terminal patch set)

Fix Text (F-16158r1_fix)
Develop, document and implement an upgrade/migration plan for obsolete or expiring Oracle versions. Use the table above as a guideline for Oracle version support. The cost of the version upgrade should be budgeted including any additional testing and development required supporting the version upgrade. A plan for testing the version upgrade should also be scheduled. Any other steps for the version upgrade should be included in the plan and the plan for the version upgrade should be scheduled for completion prior to expiration of the current Oracle database server product.

Fix Text (F-16158r1_fix)

Develop, document and implement an upgrade/migration plan for obsolete or expiring Oracle versions.

Use the table above as a guideline for Oracle version support.

The cost of the version upgrade should be budgeted including any additional testing and development required supporting the version upgrade.

A plan for testing the version upgrade should also be scheduled.

Any other steps for the version upgrade should be included in the plan and the plan for the version upgrade should be scheduled for completion prior to expiration of the current Oracle database server product.