Oracle Training Oracle Support Development Oracle Apps

 E-mail Us
 Oracle Articles
New Oracle Articles

 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog

 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Oracle Support

 SQL Tuning

 Oracle UNIX
 Oracle Linux
 Remote s
 Remote plans
 Application Server

 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S


 Consulting Staff
 Consulting Prices
 Help Wanted!


 Oracle Posters
 Oracle Books

 Oracle Scripts

Don Burleson Blog 








Oracle to score risk of vulnerability patches

The application of patches in the Oracle Critical Patch Update (CPU) is expensive, risky and time-consuming.

Many risk-averse companies take a "If it's not broken, don't fix it" approach to patches, only applying patches that have a known impact to their applications.

To assist these shops, Oracle has announced that they will being prioritizing their patches, noting the vulnerability exposure associated with each patch:

"Unlike Apple and Microsoft, Oracle has resisted rating the vulnerabilities it discloses when it rolls out patches. But in the past the company has been hammered by critics more for its slow pace in patching than for a lack of rankings.

Oracle is also known for its massive CPUs, which at times have detailed dozens of vulnerabilities. In April, for example, the first-quarter CPU patched 36 flaws, while July's second-quarter batch contained 65 bug fixes."

Eric Maurice has noted that they are adopting the Common Vulnerability Scoring System to help customers decide which patches to apply:

"With the October 17th Critical Patch Update, Oracle will introduce three major enhancements in its CPU documentation:

  • Oracle is adopting the Common Vulnerability Scoring System (CVSS)
  • Oracle will specifically identify those critical vulnerabilities that may be remotely exploitable without requiring authentication to the targeted system.
  • Oracle will provide an executive summary of the security vulnerabilities addressed in the CPU."

Since it's usually the IT manager who decides which patches to apply, the new CPU will contain a plain English executive summary explaining the vulnerabilities that are closed by each patch:

"This executive summary will provide a "plain English" explanation of the vulnerabilities addressed in the CPU. The summary may be used to brief executive management and other non-IT groups on the nature of the defects to be patched. This enhancement is designed to help organizations assess their preparedness for the upcoming CPU."


Oracle Training at Sea
oracle dba poster

Follow us on Twitter 
Oracle performance tuning software 
Oracle Linux poster


Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational