Pythian Group

Oracle has just released their January installment of their critical patch update (CPU). Vulnerability CVE-2010-0071 is particularly critical, with a CVSS score of 10, the highest possible. It’s a remotely-exploitable listener vulnerability that’s particularly severe on Windows platforms.

Full details are on Oracle’s security site.

I was reviewing Oracle’s Processor Core Factor Table, which lists the multiplier used to calculate the Oracle Enterprise Edition CPU license requirements, and noticed something interesting: the preferential 0.5 core multiplier that formerly applied to all Intel/AMD chips has now been restricted to:

• Intel Xeon Series 74XX, Series 55XX or earlier Multicore chips
• Intel Itanium Series 91XX or earlier Multicore chips
• Intel or AMD Desktop, Laptop/Notebook, or Netbook Multicore chips

What does this mean? Although most if not all currently-available processors see no changes, future multicore server CPU generations will have a cost factor of 1.0, doubling the cost of licensing them for Oracle. For a single Quad-core server running Oracle RAC, it would result in $166,000 in additional licensing costs.

Is Oracle covertly hiking their license fees? Or will they loosen the restrictions once new processors arrive? Do they remember the backlash to their earlier multicore policies?

The latest quarterly update came out this morning. There are oh-my-god smoking guns this time, but several medium-important patches:

CVE-2008-2607: Vulnerability in DBMS_AQELM (Advanced queueing package for e-mail and HTTP notifications)
CVE-2008-2613: Vulnerability in DBMS_SCHEDULER, requiring access to a local user in the oinstall group for exploitation
CVE-2007-1359: Remotely-exploitable vulnerability in Oracle App Server. This is an issue in the ModSecurity application firewall that was originally reported in March 2007 that allows some security checks to be bypassed given a specially-formatted string. The original advisory is here.
CVE-2008-2589: PL/SQL injection flaw in Oracle Portal. Details were posted to the full disclosure list in conjunction with the patch
CVE-2008-2594 and CVE-2008-2609: These look like two more injection flaws in Portal.

If you’re running Oracle Collaboration Suite, note that the patch blows away the login and logout pages (oops!). MetaLink note 445172.1 has info on how to restore the pages post-patch.

It’s yet again time for Oracle’s critical patch update (CPUJAN2008). The update will be released on Tuesday January 15, and as of yet there are no details on exactly what vulnerabilities have been found, but the description page mentions that the following products have unauthenticated remotely-exploitable issues discovered:

• Oracle Application Server (5)
• Oracle E-Business Suite (3)
• Oracle Enterprise Manager (1)
• PeopleSoft Enterprise (1)

So especially for you folks running the above products, start planning your maintenance windows!

Reading this article in hemant’s blog from last June, he made an interesting observation:

1. Oracle has priced for the Xeon QuadCore Processor at the rate of 1 Processor based on
the single socket justified as “When licensing Oracle programs with Standard Edition One or Standard Edition in the product name, a processor is counted equivalent to an occupied socket” for a 3-year licence. Thus, Oracle used the combination of “Processor, not Core” for SE/SE-One and 50% of List price for a 3-Year Licence.

The Oracle store website’s licensing page has the exact same wording.

This means that, with SE/SEOne, you can really stretch your Oracle licensing dollar: an 8-way box with a pair of quad-core processors can be licensed with SEOne (in the US) for $10k, and $2k/year for support (sold on a per-chip basis too).

Now imagine running it on an 80-core chip!

The 11g platforms are now coming out fast and furious:

Windows 64-bit
Solaris SPARC 64-bit
AIX PPC64
HP-UX Itanium

In addition to the previously-released:

Linux x86 32-bit
Linux x86 64-bit
Windows 32-bit

So download away, after checking your platform certification first, of course.

Planned future platforms:

Apple Mac Intel OSX
HP-UX PA-RISC
OpenVMS Itanium 64-bit
Linux LPAR on IBM z-series mainframes
Linux on IBM Power
Linux on Itanium
Solaris x86 64-bit

Hot on the heels of the Linux 64-bit release, Oracle 11g for Windows (32-bit only for now) is now available for download on OTN.

As usual, an x86 32-bit operating system is required. Certification for Windows XP, Windows Server 2003, and Vista is “projected for Q4″, but Windows 2000 will not be supported.

It looks like the second public platform release for Oracle 11g is (surprise, surprise) Linux x86-64. Downloads are available on OTN.

As with previous Linux releases, 32-bit Oracle with a 32-bit OS and 64-bit Oracle with a 64-bit OS are supported, but 32-bit Oracle with a 64-bit OS is not.

Note also that sqlplus does not play well with SELinux under RHEL5; workarounds are to disable SELinux entirely, or to manually change the context of Oracle libraries to textrel_shlib_t. More details are in MetaLink note 454196.1 (login credentials required).

My colleague Vamsi Chikkam noticed that the Oracle 10.2.0.3 patchset has been released for Linux and Windows 32-bit. The major bugfixes are the same as my original post with a few additions:

• Identical SQL run in different schemas may modify the wrong schema’s tables (bug 5458753)… we have run into this problem at a client site and it’s not pretty. Workarounds include qualifying schema names in SQL and one-off patches for 10.2.0.2. MetaLink note 329673.1 has more details.
• When cursors are being reloaded frequently in the shared pool, PLS-306/ORA-1722/ORA-1858 errors can occur (bug 4752541)
• Under Windows platforms, triggers referencing :NEW/:OLD using NCHAR/NVARCHAR character sets can error out (bug 5388136)
• The same issue as bug 5388136 above also causes compilation errors on 10.2.0.2 databases upgraded from previous releases under Windows(bug 5383828)

• Direct link to Linux release
• Direct link to Windows release

It looks like Oracle has started testing the 10.2.0.3 patchset. A preliminary list of bugs fixed is at in MetaLink note 391116.1. The “important” bug fixes are

• corruption in NOCACHE LOB’s (bug 5212539, also fixed in 9.2.0.8 and upcoming 10.1.0.x release)
• wrong results in aggregate functions using the “hash group by” access path (bug 4604970)
• PGA corruption when using shared server (bug 5114396)
• Server handle leak in Windows (bug 5077897)
• workaround for changed locking behavior of SELECT FOR UPDATE queries in 9.2.0.6/10.1.0.4/10.2.0.1 (bug 4969880)

But the most serious issue is index corruption on databases upgraded to 10.1.0.5 through 10.2.0.2, when using data guard in redo apply mode. Paraphrasing note 386830.1, bad redo metadata for index blocks gets written, and is not detectable by standard corruption checks. If this same block is used to generate redo of its own (after a state change or instance recover, for example) the block may get corrupted. Errors will happen querying or updating such blocks on the standby in read-only mode or if the standby becomes a primary site. If the corrupt block is a bootstrap index, the database won’t start up at all.

For index corruption to occur, the following things must happen, in order:

1. The database is upgraded from a pre-10.1.0.5 version to a version betweeen 10.1.0.5 and 10.2.0.2
2. redo from an index block is applied elsewhere (typically a physical standby/data guard redo apply)
3. the location where the redo was applied is modified and generates redo of its own (typically after a role change)
4. Applying this newly-generated redo will result in corruption (typically done to the former primary database after a role change)

To fix:

• Apply the one-off patch for bug 5380055 on your platform
• If you have a database that has already applied version 10.1.0.5+ redo (typically a physical standby), there are additional steps in note 386830.1 to “bump” the database SCN. This operation must be done in restricted mode, will require downtime, and can be dangerous, so be careful!