Transcription
IBM Guardium DPS UpdateIBM GuardiumDPS Update (8.2, 9.1, 10.0) – February 20161
IBM Guardium DPS UpdateContentsIBM Guardium . 1DPS Update (8.2, 9.1, 10.0) – February 2016. 1About this Document . 3Target Audience . 3Note on February 2016 DPS and Oracle database . 3Note for November 2015 DPS . 4Information related to earlier v9.x patches. 5Patch 508 - CVE and patch enhancement . 5CVE test fix for MS-SQL Server . 5Database versions and Patch reporting . 6Database Protection Service (DPS) . 7DPS Files for 8.2 . 7Updated Database Vendor Version Patches – 8.2 . 7Updated Groups – 8.2 . 10Common Vulnerabilities and Exposures – 8.2. 10DPS Files for 9.10 . 11Updated Database Vendor Version Patches – 9.10 . 11Updated Groups – 9.10 . 14Common Vulnerabilities and Exposures – 9.10. 14DPS Files for 10.0 . 15Updated Database Vendor Version Patches – 10.0 . 15Updated Groups – 10.0 . 18Common Vulnerabilities and Exposures – 10.0. 182
IBM Guardium DPS UpdateAbout this DocumentThis document is provides a listing of the updates that have been done andare available for IBM Guardium Database Protection Service (DPS).Target AudienceThis document is intended for IBM Guardium version 8.2, 9.x and 10.0customers.Note on February 2016 DPS and Oracle databaseIBM Guardium latest DPS compliant Oracle latest patching numbering forOracle CVE and patch tests.To find more about Oracle latest patching numbering scheme, please referto Oracle's website for "Doc ID 2061926.1 Oracle Database, EnterpriseManager and Middleware - Change to Patch Numbering from Nov 2015onwards". This feature is available in Guardium v9 and v10 releases.Based on research by Guardium, it is possible, in some Oracle 12.1Windows OS environments, that Oracle is no longer writing the databasepatch information into the sys.registry history view.Guardium is researching and reviewing such cases along with confirmingit with Oracle support to better understand this behavior. We will takefuture enhancement action, as necessary, to provide our customers the bestpossible scan experience.Guardium has been relying on the sys.registry history view for years toaccurately determine the database patches applied for all Oracle releasesfor all platforms to bring the best possible execution experience to ourcustomers. If you experience this issue, please have your DBA confirmthat the database is in fact patched by running "opatch lsinventory" at theserver level and confirm the Windows bundle patch is shown.3
IBM Guardium DPS UpdateIf your DBA is absolutely sure about this, then please insert this row intothe sys.registry history view so that our CVE tests will confirm yourpatch. In the below query, please substitute the version mentioned belowwith your database version.insert into "SYS"."REGISTRY HISTORY" (ACTION TIME, ACTION,NAMESPACE, VERSION, ID, COMMENTS, BUNDLE SERIES)values (sysdate, 'APPLY', 'SERVER', '12.1.0.1', 160119, 'WinBundle12.1.0.1.160119', 'PSU');commit;Note for November 2015 DPSThe November 2015 DPS for V9.1 is dependent on v9.0/9.1 GPU p600 fornew Oracle CVE OJVM tests. The November 2015 DPS for v8.2 andv10.0 are not dependent on any Guardium release.In the November 2015 DPS release, Guardium introduces a new type ofOracle CVE test that checks for Oracle OJVM patches. These are patchesthat check for JAVA fixes in the Oracle home binaries.The November 2015 DPS will upload fine if customers do not have thev9.0/9.1 p600 patch. However, the Oracle CVE that checks the OJVMpatch will not work correctly.There are three CVE tests that check for the OJVM patch - CVE-20154794, CVE-2015-4796 and CVE-2015-4888. These tests are listed in thev9.1 and v10.0 CVE sections.4
IBM Guardium DPS UpdateInformation related to earlier v9.x patchesPatch 508 - CVE and patch enhancementGuardium recommends that all customers install patch 508 who use VulnerabilityAssessment for Oracle and Sybase ASE.Note: All Oracle and Sybase ASE CVE and Patch tests from this DPS andonward will require this patch to ensure accuracy of the scan.Patch 508 introduces two import features into Guardium's CVE test delivermechanism: The ability to understand Sybase ASE 16 SP patches and PL patches. This issomething new in Sybase ASE 16. Oracle 12c Database Patch for Engineered Systems and Database In-memory12.1.0.2.xIn October 2014, Oracle announced a new bundle patch option for Database12.1.0.2. The Database Patch for Engineered Systems and Database In-memoryprovides critical bug fixes for Exadata or Oracle Database, or both, with the Inmemory option. The Oracle patch also includes all CPU security fixes and theDatabase PSU 12.1.0.2.1 bug fixes.CVE test fix for MS-SQL ServerV9.0/9.1 patch 311 is required to be added to v9.0/9.1 GPU 300 only if usingMS-SQL Server. This patch 311 is not required in the CVE tests for any otherdatabase.Patch 311 is a fix for MS-SQL Server CVE tests where it reported"Not/Applicable for the DB version" when the actual test grade should be eitherPass or Fail.5
IBM Guardium DPS UpdateDatabase versions and Patch reporting Due to the nature of database version and patch reporting changes created byOracle 12c and Oracle 11g on Windows, the Guardium test mechanism hasbeen enhanced to continue to deliver new tests to adopt database vendor'schanges. This will impact Oracle version and patch tests and any CVE testsfor the Oracle Windows platform only. This fix was addressed in Guardiumv8.20 GPU 230 and v9 GPU 200. Sybase was acquired by SAP, as a result their database patching mechanismwas changed. The Guardium test mechanism has been enhanced to addressthis Sybase/SAP change. This impacts all Sybase CVE tests and version andpatch tests. This fix was addressed in Guardium v8.20 GPU 230 and v9 GPU200. Netezza version and patch reporting was enhanced recently. The Guardiumtest mechanism has been enhanced to address this Netezza change. Thisimpacts Netezza version and patch tests. This fix was addressed in Guardiumv8.20 GPU 230 and v9 GPU 200.We understand that Guardium customer may not be able to upgrade to v9 GPU200 or v8.2 GPU 230 as quick as they like. If a customer upgrades to theseGPUs, all functionality for VA will work correctly with the most recent DPS. If acustomer chooses to upload this DPS but is not in one of these GPU, all theirexisting tests will continue to work fine. However any new CVE tests introducedby this are not guaranteed to work or is the version and patch using latestmetadata by database vendors.6
IBM Guardium DPS UpdateDatabase Protection Service (DPS)IBM Guardium DPS is a subscription service that provides periodic updates tovulnerability tests as well as other predefined content (reports, groups, policies).DPS Files for 8.2MD5SUM: 6fc8a93b13fcef197c22147a457438d3/8.2/DPS/MASTER GROUP MEMBERS load 20160205.encUpdated Database Vendor Version Patches – 8.2DB2 Database Version Patches10.5 Fix Pack7 , s151221Informix Database Version Patches12.10 FC612.10 TC612.10 UC6MS Sql Server Database Version Patches12.0 443611.0 6518MySql Database Version Patches5.5 47*5.6 28*5.7 10*7
IBM Guardium DPS UpdateOracle Database Version Patches12.1.0.2 PSU 12.1.0.2.16011912.1.0.2 WinBundle 12.1.0.2.16011912.1.0.1 PSU 12.1.0.1.16011912.1.0.1 WinBundle 12.1.0.1.16011911.2.0.4 CPUJAN201611.2.0.4 PSU 11.2.0.4.16011911.2.0.4 WinBundle 11.2.0.4.16011911.2.0.4 BP160119Sybase Database Version Patches15.7 EBF%SP136Teradata PDE Version Patches14.10.06 1115.00.05 0115.10.01 03Teradata TDBMS Version Patches14.10.06 1115.00.05 0115.10.01 03Teradata TDGSS Version Patches15.00.05 0115.10.01 01Teradata TGTW Version Patches15.00.05 0115.10.01 018
IBM Guardium DPS UpdateNetezza Version Patches7.1.0 8-P17.2.0 77.2.1 1Postgress Version Patches9.5 0*9
IBM Guardium DPS UpdateUpdated Groups – 8.2Group Group Name TypeIDNew/updateditemsnoneCommon Vulnerabilities and Exposures – 0310
IBM Guardium DPS UpdateDPS Files for 9.10MD5SUM: 3b94e3de668717c982db8107b530da92/v90/DPS/MASTER GROUP MEMBERS load 20160205.encUpdated Database Vendor Version Patches – 9.10DB2 Database Version Patches10.5 Fix Pack7 , s151221Informix Database Version Patches12.10 FC612.10 TC612.10 UC6MS Sql Server Database Version Patches12.0 443611.0 6518MySql Database Version Patches5.5 47*5.6 28*5.7 10*11
IBM Guardium DPS UpdateOracle Database Version Patches12.1.0.2 PSU 12.1.0.2.16011912.1.0.2 WinBundle 12.1.0.2.16011912.1.0.2 12.1.0.2.160119DBBP12.1.0.1 PSU 12.1.0.1.16011912.1.0.1 WinBundle 12.1.0.1.16011911.2.0.4 CPUJAN201611.2.0.4 PSU 11.2.0.4.16011911.2.0.4 WinBundle 11.2.0.4.16011911.2.0.4 BP160119Sybase Database Version Patches16.0 02.0215.7 EBF%SP136Teradata PDE Version Patches14.10.06 1115.00.05 0115.10.01 03Teradata TDBMS Version Patches15.00.05 0115.10.01 03Teradata TDGSS Version Patches15.00.05 0115.10.01 01Teradata TGTW Version Patches15.00.05 0115.10.01 0112
IBM Guardium DPS UpdateNetezza Version Patches7.1.0 8-P17.2.0 77.2.1 1Postgress Version Patches9.5 0*SybaseIQ Database Version Patches16.0 sp1115.4 ESD 713
IBM Guardium DPS UpdateUpdated Groups – 9.10Group Group Name TypeIDNew/updateditemsnoneCommon Vulnerabilities and Exposures – 16-059614
IBM Guardium DPS UpdateDPS Files for 10.0MD5SUM: 43bbf15691b6438c632c567e4bc8d8a5/v90/DPS/MASTER GROUP MEMBERS load 20160211.encUpdated Database Vendor Version Patches – 10.0DB2 Database Version Patches10.5 Fix Pack7 , s151221Informix Database Version Patches12.10 FC612.10 TC612.10 UC6MS Sql Server Database Version Patches12.0 443611.0 6518MySql Database Version Patches5.5 47*5.6 28*5.7 10*15
IBM Guardium DPS UpdateOracle Database Version Patches12.1.0.2 PSU 12.1.0.2.16011912.1.0.2 WinBundle 12.1.0.2.16011912.1.0.2 12.1.0.2.160119DBBP12.1.0.1 PSU 12.1.0.1.16011912.1.0.1 WinBundle 12.1.0.1.16011911.2.0.4 CPUJAN201611.2.0.4 PSU 11.2.0.4.16011911.2.0.4 WinBundle 11.2.0.4.16011911.2.0.4 BP160119Sybase Database Version Patches16.0 02.0215.7 EBF%SP136Teradata PDE Version Patches14.10.06 1115.00.05 0115.10.01 03Teradata TDBMS Version Patches14.10.06 1115.00.05 0115.10.01 03Teradata TDGSS Version Patches15.00.05 0115.10.01 01Teradata TGTW Version Patches15.00.05 0115.10.01 0116
IBM Guardium DPS UpdateNetezza Version Patches7.1.0 8-P17.2.0 77.2.1 1Postgress Version Patches9.5 0*SybaseIQ Database Version Patches16.0 sp1115.4 ESD 7MongoDB Database Version Patches3.0 93.2 1Aster Database Version Patches6.00.01 00Cloudera Hadoop Version Patches5.4 717
IBM Guardium DPS UpdateUpdated Groups – 10.0Group Group Name TypeID263New/updateditemsSuspicious commands for STP attacks3Common Vulnerabilities and Exposures – 16-0596IBM Guardium Licensed Materials - Property of IBM. Copyright IBM Corp. 2016.U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADPSchedule Contract with IBM Corp.IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names mightbe trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at“Copyright and trademark information” (www.ibm.com/legal/copytrade.shtml)18
Guardium recommends that all customers install patch 508 who use Vulnerability Assessment for Oracle and Sybase ASE. Note: All Oracle and Sybase ASE CVE and Patch tests from this DPS and onward will require this patch to ensure accuracy of the scan. Patch 508 introduces two import features into Guardium's CVE test deliver mechanism:
