E9.2 Latest Oracle Critical Patch Update requires 9.2.8.1 upgrade?

[sashton]

Has anyone else noticed that the latest Oracle Quarterly Critical Patch issued on January 16, 2024 has several critical vulnerabilities related to tools release prior to 9.2.8.1 - so basically anything but the most recent? My security team is asking when I can have this "patch applied". I have 7 instances of E1 on varying releases, 2 of which haven't even had their 64 bit conversion done. This will take some time to mitigate. Really want Oracle to explain how/what they patched in a tools release that they can't release as a hotfix so we don't have to go right to a full blown tools upgrade. At least temporarily.

 

[MFreitag]

It's not new that they fix things only with the latest Tools Release. You have a CVE and a component with which you can look up if this really affects you. For example: Not using One-Click Provisioning? You probably don't need the critical fixes for node.js or Ruby.

ORACLE's strategy has been staying code current for years now, this is just how they run the software. If they would release patches for every single software combination a customer might have, that would be their only business. You might be get a fix or two for the most critical ones if you ask for them and if you are on a supported tools release, but you won't get all of them.

In the real world, there are plenty of outdated systems, of course. You, we, all of us have to find other mitigations for this. I don't know a single customer where the security team likes the way the company is updating their JDE by 100% Gotta make sure syou have your firewalls in place, subnets, priviledged access etc. etc.

 

[StewartSchatz]

Hey, Steve. Long time no see. Unfortunately, MFreitag is right.
This sounds like something you will have to take to the business units and have them sign off on things to get Eric off your back.