Vendor supported software is evaluated and patched against newly found vulnerabilities.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-5658	DG0001-ORACLE10	SV-24338r2_rule	VIVM-1	High

Description
Unsupported software versions are not patched by vendors to address newly discovered security versions. An unpatched version is vulnerable to attack.

STIG	Date
Oracle Database 10g Installation STIG	2014-04-02

Details

Check Text ( C-26055r2_chk )
From SQL*Plus: select banner from v$version where banner like 'Oracle%'; Currently supported Oracle 10g versions as of 6/2010 are: 10.1 - Premier Support for 10.1 ended 31 Jan 2009 Extended Support for 10.1 available after 31 Jan 2009 Sustaining Support for 10.1 available after 31 Jan 2012 Terminal Patch Set: 10.1.0.5 10.2 - Premier Support for 10.2 ended 31 Jul 2010 Extended Support for 10.2 available after 31 Jul 2010 Sustaining Support for 10.2 available after 31 Jul 2013 If the Oracle version is not in the list above or is not supported with a purchased extended support contract, this is a Finding. Note: Sustaining Support does not include security updates. Any product in Sustaining Support is a Finding. A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process. Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions). Currently supported patched versions as of 6/2010 are: 10.2.0.4.0 10.2.0.3.0 (IBM z/OS 390 Server) 10.1.0.5.0 (Terminal Patch Set / Extended Support only) If the Oracle patchset level is less than that listed above, this is a Finding.

Check Text ( C-26055r2_chk )

From SQL*Plus:
select banner from v$version where banner like 'Oracle%';

Currently supported Oracle 10g versions as of 6/2010 are:

10.1 - Premier Support for 10.1 ended 31 Jan 2009
Extended Support for 10.1 available after 31 Jan 2009
Sustaining Support for 10.1 available after 31 Jan 2012
Terminal Patch Set: 10.1.0.5

10.2 - Premier Support for 10.2 ended 31 Jul 2010
Extended Support for 10.2 available after 31 Jul 2010
Sustaining Support for 10.2 available after 31 Jul 2013

If the Oracle version is not in the list above or is not supported with a purchased extended support contract, this is a Finding.

Note: Sustaining Support does not include security updates. Any product in Sustaining Support is a Finding.

A patchset is an 'amended code set', consisting of a number of bug fixes, which is subjected to a rigorous QA and certification process.

Oracle patch sets update the Oracle version number (e.g. 10.2.0.3 to 10.2.0.4) and are usually bundled together to support a product family (for example, Oracle DBMS includes Enterprise, Standard, Personal and Client Editions).

Currently supported patched versions as of 6/2010 are:

10.2.0.4.0
10.2.0.3.0 (IBM z/OS 390 Server)
10.1.0.5.0 (Terminal Patch Set / Extended Support only)

If the Oracle patchset level is less than that listed above, this is a Finding.

Fix Text (F-22569r1_fix)
Upgrade to a supported Oracle version. Purchase an Oracle Extended Support Contract where required. See http://www.oracle.com/technology/support/patches.htm for a definitive list of version patch sets for Oracle DBMS software. See http://www.oracle.com/support/library/brochure/lifetime-support-technology.pdf for Oracle support policies and timelines.