APEX 5.0.1 was released about a week ago. I started to patch some stuff straight away. We were already on APEX 5.0 across the board, so we didn’t need to do any full installations, just patches.
During the patching I noticed we were getting some issues with supposed misconfiguration of static files. After clearing my browser cache, the message went away, so I tweeted this.
“Regarding APEX 5.0.1 patch. Clear your browser cache, or you may get that static files message, even though config is correct. #orclapex”
Practically before I hit return, Patrick Wolf came back with this.
“@oraclebase Thanks for letting us know. I have filed bug# 21463521 and fixed it for 5.0.2”
We’re a week on now and all our APEX installations are happily running 5.0.1. We had no issues with the upgrades and no problems with the apps.
We are small fry where APEX is concerned, so don’t take this as the green light to upgrade everything yourself. I’m just saying we had no problems with it, which is pretty cool. If APEX is a strategic environment for you, you will probably need to do a lot more testing than us.
Mary Ann Davidson wrote a great piece on her security blog today, which basically talked about focusing on the important vulnerabilities, not necessarily the ones that get the most press. Added to that, the risk associated with a vulnerability may well be different for you compared to everyone else, depending on how your system is used. I agree with what she is saying, but I’m going to take a slightly different angle on the subject.
Over the years I’ve come across lots of different attitudes to database patching from management and DBAs. As more DBAs are now involved in looking after middle tier products like WebLogic, some of those attitudes to patching have moved into that world too. It seems to break down into three camps.
- We don’t need no stinkin’ patches. If this is the way you roll you are a dumb-ass!
- We only patch stuff that represents a vulnerability for us. This sounds kind-of sensible, but life can get very difficult trying to decide what constitutes a threat, especially when you have to consider all layers of the technology stack.
- We always apply all patches. This is logically simple, but you are going to apply a lot more patches, a lot more frequently, which is going to require a lot more testing.
Patching is not just about security.
- Support of some products is tied into the patch version. We see this with Oracle products all the time. There are some important deadlines coming up soon!
- The rest of the world is moving on around you. You might be happy with your unpatched product, but things might break because of external factors. If someone turns off SSLv3 on their application server, you aren’t doing HTTPS callouts from your database to it unless you patch up to 184.108.40.206 or later. Your applications will probably get browser compatibility issues on newer browsers and mobile devices unless you keep on top of patching your development frameworks.
- Patches like the database PSUs come with extra functionality, including backports of features from newer releases (redaction – 220.127.116.11). They can also bring with them features that make future upgrades easier (transport database – 18.104.22.168 onward).
Choosing not to patch is not really an option these days. Your company has to understand this and allocate the correct amount of resource to getting it done. That might mean more staff resources allocated to patching and subsequent testing (rather than doing “productive” work), outsource the work where you can or moving to cloud services where regular patching is part of the deal.
I just read this post by Dirk Nachbar, saying that 22.214.171.124 is now available from edelivery.oracle.com. I’ve downloaded it, so the rest of the world is now allowed to start their downloads.
I assume it will be available from MOS also at some point.
PS. It will allegedly be made available on OTN at some point in the future.