Tuesday, May 28, 2013

Oracle adpatch security considerations

When patching an Oracle database you will make use of opatch ($ORACLE_HOME/OPatch) and when patching an Oracle application you will make use of adpatch ($AD_TOP/bin). When we look at the Oracle security best practices there are some advices around the use of adpatch which are not commonly know and are not commonly applied when maintaining an application. 

Main issue in regards to security in relation to adpatch is that when you apply a patch using adpatch the log file will contain the passwords you have used. When developing adpatch this might possibly have looked OK to the developers however in most cases this is very unwelcome. Having a clear text file on your filesystem which contains passwords is never a good thing and should be prevented. 

To ensure that the password is not stored in the logfile you can set a flag to prevent this. You will have to use adpatch flags=hidepw . When using this the passwords you provide to adpatch will not be shown in the log files. 

You should ensure that your Oracle application is only patched while using this flag to prevent someone from compromising the password when they gain access to the logfile. 

No comments: