RealTime IT News

Customers Gripe About Oracle's Patch Plan

Some Oracle customers are starting to wonder if they are going to see a security patch from the company this month.

The Redwood Shores, Calif.-based software giant is nearly a month delinquent on its promise of a more regular cycle for issuing security upgrades and fixes for viruses. Now several organizations say they are frustrated not only with the patch but with the frequency of the patch updates.

Two months ago, Oracle adopted a monthly cycle of addressing security upgrades and fixes instead of dealing with them on a quarterly or yearly basis. The alerts were to include notification to Oracle's customers and subscribers followed by instructions and links to FTP sites.

Company spokesperson Rebecca Hahn said the company is still very much committed to protecting its customers but offered no explanation for the delay.

"Our customers, partners and developers all get the same alerts at the same time," Hahn told internetnews.com

She also reiterated that the company will continue its policy of issuing individual alerts for the most egregious security breaches.

The last scheduled communication was Alert #68, Rev 2, which was issued back in August and updated last month. The patch asks customers to protect themselves from malicious code the company said could be used to exploit legacy Oracle products.

Almost immediately, according to several posts on FreeLists.org, problems emerged with the "opatch" utility.

FreeLists poster Larry Wolfson is one of those whose contractors working on an account with HP attempted to install a number of patches with some difficulty.

"The problem with this attempt looks to be that all of the inventory directory isn't there. However are you sure this is patch68 ??? as all the patch 68's I've installed on8174 (HP & Solaris) haven't used opatch. Instead you've just had to run patchserver.sh rather than opatch. In fact this is indicated by opatch looking for ContentsXML which only appears under 9i and not an 8i install," the submission read.

Ruth Gramolini reported a similar problem in that she didn't have an oraInventory directory.

"Look in your oraInst.loc file (on AIX it is /etc) and see where the inventory_loc is," she noted. "Mine is actually in the Oracle Home. Then look for the missing file there."

The release cycle is also frustrating customers, according to Pete Finnigan, an Oracle security audit specialist whose recent blog on the subject suggests a compromise.

"Possibly Oracle could compromise between a monthly schedule which could cripple large companies with lots of databases and the original more hap-hazard schedule of security releases," Finnigan wrote. "A quarterly release schedule would be better for company's staff time budgets needed for installation and testing but would not deliver the advantage of security fixes being available monthly. It's all about compromises I suspect."

Finnigan also said applying patches to a PC or even a Microsoft-powered server is probably easier than doing the same with Oracle.

"The reason being is that Microsoft really has just one platform to deal with whereas Oracle has multiple OS's and also bugs in multiple products to deal with," he said.