From the Mailbag - taking Oracle and it's CPU to task

Published: 2009-07-18
Last Updated: 2009-07-18 17:10:53 UTC
by Patrick Nolan (Version: 1)
2 comment(s)

As a follow up to a previous Diary (Oracle Black Tuesday) we had a Storm Center participant, Brian, offer some comments about Oracle's CPU.

Brian said "Regarding your comment on Oracle Black Tuesday, I have several observations that may benefit other ISC readers.

The exposure of Oracle's CPU goes far beyond the database as they have expanded significantly into many other software, including key security management software (Identity Management/Authentication).

As Oracle repackages several open source products, administrators are stuck choosing between security and support.  For example, the recent patches to Apache's http server can't be applied because Oracle repackages that product as Oracle HTTP Server.  Apply the patches and you're no longer supported.

Oracle has got to find a way to make the CPU analysis easier.  The decision matrix an administrator has to go through is obscene.  I conducted an analysis of a recent CPU for our environment and it took me over a week solid to determine what the exposure was and what the pre-requisites for the CPU patches were.  And that doesn't include the support time and outages because Oracle's documentation was incorrect.  As a user community, we need to push Oracle to make this process simpler (think up2date or YaST or even Windows Update)

Thanks for the sending in your thoughts Brian. Banding together and working with the vendor is always effective. So if there is already a group of customers that have banded together to work effectively with Oracle, let us know some of the groups specifics and I'll update the diary.

In addition to the previous Diary's comment about the lack of substantial vulnerability information for non-customers, it should be noted that Oracle's public Critical Patch Update Advisory - July 2009 has a section called the Patch Availability Table and Risk Matrices, each products Matrix provides CVSS information that can help both customers and non-customers prioritize Oracle CPU's for deployment.

2 comment(s)


I would note that this isn't just Oracle, other vendors also follow this same repackaging technique. Cisco does it for much of their Unified Communications suite. In fact most all 'appliance' model 1U boxes are built on a pre-packaged OS and utilities.
The CPU causes many headaches here each time it arrives. We're an oracle / weblogic / jrockit house. Thankfully I've only got the responsibility for the wls & jrockit.

Oracle are running 2 patch methods for wls - either Oracle updates or smart updates (the old bea way). They need to get this sync'd down to one method so people can easily see whats going on.

They also released a jrockit patch set - actually they supplied a zip'd archive of jrockit - with no installer. also complete with the full demos / samples & src code! Just the kind of things that I want to put on my producton server.

Making the process simpler using download tools may bring more problems than it solves. Making it simpler by issuing clearer statements, with one central source for all software/patches/critial updates has to be the first step forward.

Oracle are one of the big players, they need to get their act together and get some continutiy across their product range.

Greetings from Munich :)

Diary Archives