Database Reference
In-Depth Information
Message from Oracle Regarding Patching
Figure
17-41
shows you the option to tie your external MOS (My Oracle Support-metalink) credential with the internal
EM12c installation.
Figure 17-41.
Connecting internal EM to Oracle support is not normally recommended
There are a number of important considerations here. In a secure environment this should be impossible, as
there should be no egress on the firewall from the DB to the Internet. This is to stop an attacker shooting back an
Xterm, shell, etc. after they have gained code execution through the application. A real-life pentest depends on the
ability to egress back from the DB to the sending client outside. This same technique will be used by attackers, and so
the notion of purposefully requiring customers to allow egress from their Oracle estate to the Internet is one that gives
security practitioners nervous headaches and a reminder that their jobs should still be safe—as they are needed to
manage this relationship with the vendor securely.
Even if you were allowed to egress, it is an important strategic decision as to whether you wish to tie MOS and
EM together. If you are considering moving to cloud solutions long term you may consider more closely tying yourself
with Oracle support in this way, but in general the security posture should be a complete hard shell between internal
DB estate and the outside Internet. No compromises—no direct line in or out. Some folks have run Oracle DBs on
Internet-facing IP addresses and they have been owned—don't let it be you.
Generally it is better administration procedure to download patches seperately and take control of the software
install oneself. This is easy to do with EM12c, as we shall demonstrate.
