by Robert Buda | Dec 8, 2020 | Best Practices, Database Patch News, database patching, Database Security, Oracle, SQL Server, Uncategorized
Welcome to Database Patch News, Buda Consulting’s newsletter of current patch information for Oracle and Microsoft SQL Server. Here you’ll find information recently made available on patches—including security patches—and desupported versions.
Why should you care about patching vulnerabilities and bugs? Two big reasons:
- Unpatched systems are a top cyber attack target. Patch releases literally advertise vulnerabilities to the hacker community. The longer you wait to patch, the greater your security risk.
- Along with running a supported database version, applying the latest patches ensures that you can get support from the vendor in case of an issue. Patching also helps eliminate downtime and lost productivity associated with bugs.
Here are the latest patch updates for Oracle and SQL Server:
Oracle Patches:
October 20, 2020 Quarterly Patch Updates:
19c – Release Update 19.9 is available (31771877 & 31668882)
18c – Release Update 18.12 is available (31730250 & 31668892)
12cR2 – Release Update 201020 is available (31741641 & 31668898)
Regular support ends in Mar 2023 and extended support ends in Mar 2026.
12cR1 – Release Update 201020 is available (31550110 & 31668915)
Regular support ended in July 2019 and extended support ends in July 2021.
11gR4 – Patch Set Update 201020 is available (31720776)
Regular support ended in October 2018 and extended support ends in December 2020.
SQL Server Patches:
SQL Server 2019
Cumulative update 8 (Latest build) Released Oct 1, 2020
Mainstream support ends Jan 7, 2025
Extended support ends Jan 8, 2030
SQL Server 2017
Cumulative update 22 (Latest build) Released Sept 10, 2020
Mainstream support ends Oct 11, 2022
Extended support ends Oct 12, 2027
SQL Server 2016 Service Pack 2
Cumulative update 15 Release date: Sept 28, 2020
Mainstream support ends Jul 13, 2021
Extended support ends Jul 14, 2026
SQL Server 2014 Service Pack 3
Cumulative update 4 Release date: Feb 11, 2019
Mainstream support ended Jul 9, 2019
Extended support ends Jul 9, 2024
SQL Server 2012 Service Pack 4
Release date: Oct 5, 2017
Mainstream support ended Jul 11, 2017
Extended support ends Jul 12, 2022
Note: All other SQL Server versions not mentioned are no longer supported.
by Robert Buda | Nov 2, 2020 | Best Practices, Database Security
Password security is one of many elements of our ongoing efforts to protect our customers’ data. But even though we have all heard many times how important password protection is, we still see basic password protection rules broken all the time.
So here is a quick refresher:
- Never write down your password on paper. Never stick a note with your password on it to your laptop keyboard, or tape it to your monitor, or hang it on your cubicle wall. Just don’t do it!
- Never keep passwords in a clear text (non-encrypted) file on your laptop, on a server, or on any storage device. Just don’t do it!
- Never make it easy for a hacker to guess your password by including the company name, vendor name, your name, server name, application name, department name, pet’s name, kid’s name, spouse’s name, birthday, anniversary, or any combination of the above. Substituting some symbols for letters, like P@yr0ll or S@l$sF0rce, is still not OK. Personal information is easy to find on the internet, and the symbol substitution won’t fool a good hacker. Just don’t do it!
- Never log on to anything while sharing your screen in a web meeting. A quick screenshot can be taken by anyone watching. Just don’t do it!
- Never send passwords to colleagues, clients, vendors, or anyone else in a non-encrypted email, or in a Slack message, Google chat, or any other “open” channel. Just don’t do it!
OK, so I told you what not to do. Now how can you cope with all the passwords you have to remember?
The approach that I use is to minimize the number of passwords that I have to remember by using a password store application (aka a password manager) like LastPass. This tool and others like it securely store many of my passwords, so I only need to remember the master password that opens my password store. All my other passwords are randomly generated, very strong passwords that I don’t even try to remember. My master password is a complex string of characters and numbers, but since it’s the only password I need to remember it’s not a problem.
One more thing: whenever it is offered, use two-factor authentication (2FA) for applications that really matter, like bank accounts. The extra step is simple with SMS and authentication apps, and well worth it for the significant extra protection 2FA offers.
So go ahead, protect your data—JUST DO IT!
Happy protecting!
by Robert Buda | Jun 8, 2020 | Best Practices, Database Security, Oracle
Have you been wanting to encrypt your Oracle database “since forever,” but feel like you just can’t afford the downtime? If a lot of data is involved, taking it all offline and encrypting it could be very time-consuming. So you’ve been putting the process off, while keeping your fingers crossed that your company’s network security will somehow protect you from a data breach and associated legal, compliance and reputational impacts.
But did you know that you can now encrypt existing tablespaces in-place, either online or offline in Oracle? In case you missed it, Oracle Enterprise Edition version 12.2 (released in 2017) added Transparent Data Encryption (TDE), a much-needed feature that enables you to encrypt an existing database while it remains online.
If you’ve been running an earlier Oracle version and haven’t seen a compelling reason to update, TDE could be it. This capability is a game-changer for those who want to “do the right thing” and encrypt their data at rest, but haven’t wanted to incur the downtime.
At a high level, here is how TDE works:
-
- First, encrypt the system tablespaces (these must be done separate from user tablespaces)
- Next, encrypt the user tablespaces, one at a time.
- Finally, drop and recreate any temporary tablespaces (these cannot be converted online)
That’s basically all there is to it! There are some technical issues that your DBA and/or security group will need to work out, such as key management and disk space. (You must have enough available disk space during the conversion to duplicate your largest tablespace.)
Of course, you need to back up your entire database before you start the encryption process. If you decide to tackle encryption gradually, then just back up each tablespace before you convert it.
Taking the important step of encrypting your sensitive data at rest will significantly improve your security posture.
So what are you waiting for? Get encrypting!
To schedule a free consultation on your database security, including encryption requirements, contact Buda Consulting.
by Robert Buda | Mar 3, 2020 | Best Practices, Database Security, Oracle DBA
Managed Health Systems of Indiana patient health information, July-September, 2019; Microsoft customer service and support records, January 22, 2020; Wyze email addresses, December 30, 2019; Georgia Tech student data, March 2019.
What do all of these breaches have in common? The data that was stolen was inside a database.
Yet when most companies think about data security, they still focus on securing the network, and spend very little time and energy making sure the databases—where the data actually lives—are safe.
When was the last time you had a network security assessment done? If yours is like most companies, it was pretty recently… and that’s good.
But when was the last time you had a database security assessment done? If yours is like many companies, the answer is “Never.”
Even if your network security posture is robust, it is only a matter of time before your network is breached. And don’t forget about “insider threats,” both malicious and accidental. It is best to add another layer of protection between the bad actors and your data.
Make sure that when cybercriminals do get past your network protections, your database will keep them out.
Download our Database Security Roadmap get valuable insights into create an in-depth defensive posture to protect your data.
by Robert Buda | Feb 19, 2020 | Best Practices, Database Patch News, database patching, Database Security, Oracle, SQL Server
Welcome to Database Patch News, Buda Consulting’s monthly newsletter of current patch information for Oracle and Microsoft SQL Server. Here you’ll find information on available patches—including security patches—and desupported versions made available during the past month.
Why should you care about patching vulnerabilities and bugs? Two big reasons:
- Unpatched systems are a top cyber attack target. Patch releases literally advertise vulnerabilities to the hacker community. The longer you wait to patch, the greater your security risk.
- Along with running a supported database version, applying the latest patches ensures that you can get support from the vendor in case of an issue. Patching also helps eliminate downtime and lost productivity associated with bugs.
Here are the latest patch updates for Oracle and SQL Server:Oracle Patches:
19c
DATABASE RELEASE UPDATE 18.9.0.0.0.200114
OJVM RELEASE UPDATE 18.9.0.0.0.200114
18c
DATABASE RELEASE UPDATE 19.6.0.0.0.200114
OJVM RELEASE UPDATE 19.6.0.0.0.200114
12cR2
DATABASE RELEASE UPDATE 12.2.0.1.200114
OJVM RELEASE UPDATE 12.2.0.1.200114
Regular support ends Mar 2023 and extended support ends Mar 2026
12cR1
DATABASE PATCH SET UPDATE 12.1.0.2.200114
(Extended Support Contract Required)
OJVM PATCH SET UPDATE 12.1.0.2.200114
(Extended Support Contract Required)
The last freely available patch was July 2019 for 12.1.0.2. The Oct 15 2019 Patch Set Update (PSU) is available but may require an extended support purchase to access it. Patches will be released until July 2021 for this version. PSU 12.1.0.2.191015 is available.
11gR4
DATABASE PATCH SET UPDATE 11.2.0.4.200114
(Extended Support Contract Required)
OJVM PATCH SET UPDATE 11.2.0.4.200114
(Extended Support Contract Required)
The last freely available patch was October 2018 for 11.2.0.4. PSU 11.2.0.4.191015 is available but may require clients to purchase extended support to access it.
Oracle Engineered Systems
Oracle Exadata System Software for 18.1.24, 19.2.10 & 19.3.4
Oracle Exadata QFSDP for Jan 2020
Oracle SuperCluster QFSDP for Jan 2020
SQL Server Patches:
SQL Server 2019 – Cumulative Update 1 released on 01/07/2019
SQL Server 2017 – Cumulative Update 18 released on 12/09/2019
SQL Server 2016 Service Pack 2 – Cumulative Update 11 released on 12/09/2019
SQL Server 2016 Service Pack 1 – Cumulative Update 15 released on 07/09/2019
SQL Server 2014 Service Pack 3 – Cumulative Update 4 released on 07/29/2019
SQL Server 2014 Service Pack 2 – Cumulative Update 18 released on 07/29/2019
