Get Started with Vulnerability Detection and Patching Service
Here's information on how to get started with Vulnerability Detection and Patching. Note that when enabling the Vulnerability Detection and Patching service both components will be enabled and cannot be enabled or disabled individually.
Supported Versions
| Supported Deployment Types | Supported Database Versions | Supported Platforms |
|---|---|---|
| External Databases | 12.1 and later | Linux |
| Oracle Cloud Databases | 12.1 and later | Linux |
Terminology Used in Vulnerability Detection and Patching
- Vulnerability Detection and Remediation: It is a process that identifies potential security weaknesses (vulnerabilities) within database systems and takes necessary actions to fix, or mitigate said weaknesses and effectively eliminate the risk of exploitation by cyber attackers. It involves scanning for vulnerabilities, prioritizing them based on severity, applying patches, and updates to address them.
- CVE: The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
The United States National Cybersecurity FFRDC, operated by The MITRE Corporation, maintains the database. CVE and CVE IDs are listed on Mitre's system as well as in the US National Vulnerability Database.
- CVSS: The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. Metrics result in a numerical score ranging from 0 to 10. CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores.
Qualitative Severity Ratings in CVSS v4.0 notates ratings as below:
Severity Score Range None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0
- BYOL: With Bring Your Own License (BYOL) you can utilize your existing Oracle software licenses from on-premises environments to run applications on the Oracle cloud without having to purchase new licenses. If you have Enterprise Manager Database Lifecycle Management (DBLM) pack licensed, you can BYOL option to use OCI Vulnerability Detection and Patching service at 50% cost.
- Patch Classification : Recommended Security / Alternate Patches. Oracle Critical Patch Updates (CPU), are considered Recommended Security patches and are released on the third Tuesday of January, April, July, and October.
Oracle recommends Critical Patch Updates (CPUs) for supported products. Vulnerability Detection and Patching service recommend you to apply mandatory recommended security patches as well as evaluate and apply recommended alternate patches as well.
- Database Release: Denotes a major release, for example: 19c, 23ai.
- Gold Image: Represents a database release, a Gold Image consists of versions which are mapped to the Database version. When you create a Gold Image (sometimes referred as image), you create it with a version. Oracle recommends that you create only one Gold Image for each database release. Gold Images cannot be empty, they must contain an image.
When new database versions are released by Oracle, you add on new versions to a your image. For example, on a 19c Release, you create the gold image 19c_Release, then add new versions like 1910DBRU, 1915DBRU, 1922DBRU, and so forth. Oracle recommends that Gold Images contain up to 3 versions, allowing for ease of maintenance and space utilization.
- Update Database: Is a patching operation, where the database is updated from to a higher within the same Release. For example, updating from Oracle 19.15c to 19.22c .
- MOS Connection and Credentials: A service that connects to MOS (My Oracle Support) to download patches, release updates, monthly release patches, ARU seed data (products, platforms, releases, components, certification details, and patch recommendations.
- Resource type: Vulnerability detection and patching can be used with the following external databases: Container Database (CDB), Single Instance, and RAC Instance databases.
Note
Currently only External Databases running on on-premise or Oracle Cloud Infrastructure Virtual Machines on Linux operating system are supported. - Out-of-Place Patching: Is a mechanism where the Gold Image containing the required patches is deployed into a new home. Once complete, you migrate the database instances to run from the new home, ensuring minimal downtime.
- Rolling Mode: In this mode, the nodes of the cluster are patched individually, one by one.
- Check Conflicts: Assess patch conflicts per database and subsequently reduce the number of merged patches.
- Deploy software: Oracle home software deployment.
- Patch Operation: You can view all Patch Management operations by Operation Name, number of Databases patched, Status (successful, completed with errors, failed), Start Time, End Time, and Elapsed Time.
- Patch compliance: Shows how many of the subscribed targets are on the current version. Compliance also indicates that subscribed targets are not on the current version of the image and need to be updated.
Setup Vulnerability and Patching
To begin using Vulnerability Detection and Patching, complete the prerequisites, obtain the necessary permissions and enable the service.