How To Address Security Scan Findings on ODA X8

Dear Erman sir,

Thanks for your supporting us time by time.

My question is about applying security fixes on ODA without using quarterly released bundle patch for ODA.
Can we apply OS patches in response of vulnerability (ZERO DAY for example) without waiting for the global patch released by oracle for ODA.


Thank you?

Please see ->

ODA Responses to Oracle Database Appliance Security Scan Findings (Doc ID 2115814.1)

There you will find the actions for a SSL vulnerability.. And those actions are basically rpm install actions.. So this proves that in some cases you can take actions to the point..

So, if it is documented, yes.. If it is suggested by Oracle, then again yes :)

Just use the CVE code  + ODA keywords and check Oracle Support..  You can find Oracle Database Appliance: Patch Availability, Application and De-installation Information there..

Hi Erman sir,

Thanks for the update, it becomes very complicated if we want to patch ODA to a new version because it is indicated in the release note that we have to roll back all the os patches or any rpm installed manually to guarantee the success of the application of the quarterly released patch.

So I don't know if we can accept  to only apply patch from oda bundle released by oracle (in this case zero day vulnerability is not covered, nor those appeared after the release of patch which is published quarterly), or we have to apply patches for security finding as described in the note you have shared and write them down somewhere to undo them before patching  ODA?

Thank you,

Hi,

My comments are in my previous update.
There is a MOS note that I shared with you. There are rpm actions there, this means you can install or update packages on your ODA Operating Systems, but you need to get the approval from Oracle Support.
You are already concerned as you see..
So what I tell you is, it is technically possible and it is done in certain cases, but you should do it only if you get the approval of Oracle Support.
This is an engineered system..

Thank you sir , it’s clear now