This post is also available in:
Português
On this January 17th Oracle released its quarterly PSU as we expected.
The 12.1.0.2 version was OK regarding DB PSU, GI PSU, DBBP and OJVM PSU.
However, for the 11.2.0.4 version, only the OJVM PSU of Jan 2017 was provided. All the combos came with Oct 2016 version of DB/GI fixes + Jan 2017 OJVM as you can see below:
Source: Oracle Support Document 756671.1 (Oracle Recommended Patches -- Oracle Database) - https://support.oracle.com/epmos/faces/DocumentDisplay?id=756671.1
Why this behavior only for 11.2.0.4 version? Note that 12.1.0.1 stopped at "Jul 2016" and 11.2.0.3 at "Jul 2015". So why this early behavior with 11.2.0.4?
Checking the Risk Matrix for "Oracle Critical Patch Update Advisory - January 2017":
| CVE# | Component | Package and/or Privilege Required | Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complex |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2017-3310 | OJVM | Create Session, Create Procedure | Multiple | No | 9.0 | Network | Low | Low | Required | Changed | High | High | High | 11.2.0.4, 12.1.0.2 | |
| CVE-2017-3240 | RDBMS Security | Local Logon | Oracle Net | No | 3.3 | Local | Low | Low | None | Un- changed |
Low | None | None | 12.1.0.2 | |
Source: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
The table above shows that Security fixes for 11.2.0.4 were only related with OJVM, while for 12.1.0.2 there was also a security fix for the Database. This could be one reason, but CPU is only a fraction of a PSU package. Let's dig further.
Checking the official MOS Doc 2203916.1 in item 3.1.4.3 - Oracle Database 11.2.0.4, we have:
Source: Oracle Support Document 2203916.1 (Patch Set Update and Critical Patch Update January 2017 Availability Document) - https://support.oracle.com/epmos/faces/DocumentDisplay?id=2203916.1
There are no Database SPU or PSU or Exadata BP for 11.2.0.4 for Jan 2017 cycle as there are no new CPU security vulnerabilities applicable. Future patches are planned until end of Error Correction listed in the table above.
So the answer is there. Oracle decided to skip the PSU and DBBP for Jan 2017 as there was no CPU related with the RDBMS for this period. Problem is that, by definition, "Patch Set Updates (PSU) are the same cumulative patches that include both the security fixes and priority fixes.". So what about all the bug fixes for that period?
I've opened a "Contact Us SR" asking about this issue. The answer was that my understandings were right and unfortunately they will not provide a PSU for 11.2.0.4 on January. Thanks Oracle for forgetting the past versions, forcing one-off patches. By the way, support for 11.2 ends on Dec 2020. However, until then, it seems that only drastic corrections will be provided quarterly.
Have you enjoyed? Please leave a comment or give a 👍!
1 ping
[…] http://www.dbarj.com.br/en/2017/01/11-2-0-4-170117-db-psu-dbbp/ […]