Tag: security

Patch & Protect Your Oracle Database From AI-Enabled Threats

We hear more and more about the benefits of using AI models in terms of efficiency and speed innovation for the software industry. One thing that we also started hearing last month is that new models also offer new ways to exploit security vulnerabilities by bad actors.

Oracle Database Engineering is actively working with leading AI model providers in order to continuously discover vulnerabilities using advanced AI techniques to rapidly remediate and deliver fixes via the existing database release updates.

What does this mean to you?

Patch, patch and patch TODAY!
You must apply the quarterly release update (RU) promptly, this is RU31 for 19c (19.31) or RU2 for 26ai (23.26.2). If you are not in 19c or 26ai yet you must upgrade your database as soon as possible. Also make sure your client libraries are upgraded to 19c or 26ai.

Changes are also coming on the way and frequency Oracle delivers security patches. From the Accelerating Vulnerability Detection and Response blog:

Oracle is expanding how security fixes are delivered to customers with a monthly Critical Security Patch Update (CSPU), starting in May 2026. CSPUs provide targeted fixes for critical security issues, allowing customers to address high-priority vulnerabilities without waiting for the next quarterly release. Each CSPU is smaller and more focused, making it easier to apply critical fixes quickly. Quarterly Critical Patch Updates will continue to include all fixes released in prior CSPUs. 

This approach enables customers to apply critical fixes more quickly on premises, while continuing to support established quarterly patching cycles through cumulative updates. All patches are applied automatically in Oracle-managed cloud environments.  

Review recent communication information

This information is now available through several channels including blog posts & MOS.

What can you do to patch easier & faster?

As Mike Dietrich mentioned is his post, we live in an interesting and challenging era that we can’t stop but we should rather be prepared. For Oracle Database Administrators this means to have all your Oracle databases upgraded and patched to either 19.31 or 23.26.2. Patch NOW!

To make this process easier use automation tools like Oracle AutoUpgrade, FPP or Oracle Database Lifecycle Management in OEM.

If you have additional questions contact your Oracle Sales representative or your Oracle Architect.

UPDATE (May 5th):

Integrated Cyber Center issued a note on the upcoming CSPUs.

Beginning May 28, 2026, Oracle will deliver a Critical Security Patch Update (CSPU) each month. CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release.

Support has also issued Product-Specific guidance notes. I recommend to take a look at the general note as there are links to several specific products:

Thanks,
Alfredo

Improve Oracle Database Security With Enterprise Manager 13c

IT Security is popular topic nowadays! We constantly hear news about data breaches, ransomware, malware, unauthorized access to IT systems, etc. IT organizations are constantly looking to keep their systems, networks and data safe and secure.

Today’s blog is about how Oracle Enterprise Manager (EM) can help Database Administrators to secure and harden the Oracle Databases they manage along with the hosts those databases are running on.

First things first. I strongly recommend to review the Oracle Database 19c Security Guide. This guide provides guidelines on how to secure the Oracle Database, harden the DB access, secure and encrypt the DB data and so.

click here…

Now let’s discuss some areas that database administrators should also look at in order to improve their security posture:

  • Timely apply security patches
  • Monitor database configuration and detect misconfigurations
  • Use industry and regulatory standards like STIG and CIS for the Oracle Database

All the features that we will be discussing today are part of the Oracle Database Lifecycle Management pack. This pack requires an additional license.

Timely apply security patches

Fleet Maintenance (FM) enables administrators to automate lifecycle activities such as database patching and upgrades. FM is a gold image subscription based model that allows to patch databases with minimum downtime by using out-of-place patching mechanisms. In-place patching is also available if you need to apply an emergency on-off patch.

Administrators have the ability to customize the patching process by adding custom pre/post scripts to patching operations. FM supports single instance, RAC databases, Grid Infrastructure, Multitenant and Data Guard configurations.

One thing to mention is the ability to get security patch recommendations as soon as they are published. EM connects to My Oracle Support (MOS) and checks for the availability of new security patches. As soon as a new security patch is released EM will let you know if your DB estate is compliant or not in terms of these patches.

more info…

Monitor database configuration and detect misconfigurations

Configuration and Drift Management helps you monitor the configuration of your DB estate, the hosts on where those DB’s are running as well as the Oracle Homes (OH) for those installations. EM allows you to create your own configuration templates based on the configuration settings you need to enforce. Any misconfiguration or drift away of your template will be automatically reported via the Drift Management dashboard and you can also receive alerts if you choose to.

Corrective Actions (CA) can also be created to automatically fix this misconfigurations in order to comply with the templates and reduce security risks.

How many times administrators issued an ALTER SYSTEM command with SPFILE scope and forgot about it? Well, you will know next time you bring your DB up after maintenance. EM helps you detect these changes before they become a production issue. It also help you track the history of configuration changes, save configuration information at a given time and also allows you to use this configuration information to be compared between targets.

Have you wonder, how many OH’s we have with this specific one-off patch?

How many DB’s we have running on this specific OS version?

Well, EM can help you answer all these questions using this configuration data.

One thing worth mentioning is that EM comes with hundreds on configuration collections. If you need to gather a very specific configuration that is not available out-of-the-box, you can create your own configuration extension and collect this automatically.

more info…

Use industry and regulatory standards like STIG and CIS for the Oracle Database

EM provides compliance standards to help customers meet regulatory standards like STIG and CIS. Oracle’s best practices are also included within the compliance framework. There are two available options for analysis.

  • Rule based analysis
  • Real-time change

Each option allow administrators understand where attentions needs to be put in order to harden the DB estate.

Using the compliance framework, EM will provide a score to each associated target along with all the violations that need to be remediated after each evaluation.

more info…

I also want to provide links to Oracle LiveLabs workshops available that cover the features discussed above.

Thanks,
Alfredo

Oracle Enterprise Manager Security– Disable SYSMAN access

In Enterprise Manager 12c SYSMAN user is the schema owner and as a best practice all the users should log in using their own individual accounts. To enforce this you can prevent SYSMAN from login into the console and/or emcli by setting SYSTEM_USER to -1 in the MGMT_CREATED_USERS table:
UPDATE MGMT_CREATED_USERS
SET SYSTEM_USER=’-1’
WHERE user_name=’SYSMAN’
To re-enable the access just set it to 1.
UPDATE MGMT_CREATED_USERS
SET SYSTEM_USER=’1’
WHERE user_name=’SYSMAN’
Refer to Oracle Support’s note:
How To Disable SYSMAN & SYSTEM Users from Logging into Grid Console? (Doc ID 867360.1)
Thanks,

Alfredo