I started off this site in October 2007 with a post talking about how upgrades and patches can really negatively impact the security posture of your infrastructure. Well here it is nearly two years later and the problem persists.
We'll pick on Oracle here but the problem is common among most software vendors. Let's take the recent Oracle Critical Patch Update for April 2009. If you are running a 10.2.0.3 database, you'll have to upgrade to 10.2.0.4 (or higher) to install the patch since 10.2.0.3 is no longer supported.
So far we have identified two issues with the 10.2.0.3 to 10.2.0.4 upgrade. The first item applies only if you have Ultrasearch installed. Installation of Ultrasearch will create a schema called WKSYS. In a properly secured database, this schema should have its default password changed to a strong password and the account should be locked, expired and audited. Assuming your database is so secured, you will find after running the 10.2.0.4 Database Upgrade Assistant, that the WKSYS account is unlocked and the password has been reset to match the name of the account, ouch!
The other issue we have found so far in every 10.2.0.3 to 10.2.0.4 upgrade is that _trace_files_public gets reset to TRUE.
It should be noted that in both cases the upgrade caused the issue. The actual CPU patch had no impact on the database security posture.
We are not yet sure if these issues are generic or platform specfic. We found the issues on Solaris Sparc 64-bit.
The moral of the story is you need to scan your infrastructure after any changes. Again, we recommend AppSentry from Integrigy because we work a lot with the Oracle E-Business Suite where this tool is unmatched. But it works great for plain old Oracle databases as well. See Integrigy's Web Site for details and Stephen Kost's Oracle Security Blog at the same site is always a worthy read.
