eHealth Patch Release Policy for Oracle Critical Patch Updates (Legacy KB ID CNC TS13789 )
Article ID: 52315
Updated On:
Products
Issue/Introduction
================================
Computer Associates (CA) uses an embedded Oracle database in eHealth. The underlying database for the eHealth products have been created and tuned specifically to meet the stated eHealth application performance requirements. Per CA?s agreement with Oracle, as noted below, CA is under obligation to provide supported CA customers with Oracle patch updates as an integrated patch with CA?s product. In other words, eHealth customers are not permitted to implement upgrades or patches to the eHealth database. Specifically, the agreement states:
"Program updates must be certified and distributed as a component of the application package and the end user shall be unable to upgrade the database or other Oracle program technology versions as a separate component."
The process is as follows:
1) CA will monitor messaging from Oracle regarding Patch Sets, Critical Patch Updates and Security Alerts
2) Within ten-days of an Oracle release, CA will evaluate the information supplied by Oracle to determine if there are bugs/security updates that could impact eHealth?/Oracle operation or security
3) At the end of the ten-day evaluation period CA will publish an Advisory message that details the results of the evaluation. The Advisory will provide details about how CA will address the Oracle update. CA?s actions will vary depending upon the severity of the reported issues and the Oracle delivery vehicle (Patch Set, critical patch update, security update)
For Oracle Patch Sets
Within thirty-days of issuing the Advisory, CA will make the latest patch set available to CA customers on an as-needed basis. CA will perform minimal acceptance testing of the latest Oracle patch set with versions of eHealth? that are currently patched*Customers will not generally be required to install the latest Oracle patch set. However, if during the course of troubleshooting a problem it is determined that the Oracle software needs to be patched CA will require the customer to install the latest patch set.
For Oracle Critical Patch Updates
Within thirty-days of issuing the Advisory, CA will publish a detailed response to the vulnerabilities identified in the update on the Support website CA will provide a script to modify the eHealth?/Oracle database as required to address security issues identified. This script will be made available via CA?s Knowledge Base.
For Oracle Security Alerts
Within thirty-days of issuing the Advisory, CA will make the security patch available to CA customers on an as-needed basis CA will perform minimal acceptance testing of the latest Oracle patch set with versions of eHealth? that are currently patched
A MS Word version of the full support policy is here: Oracle Support Policy
ORACLE CPU IMPACT ASSESSMENTS
=====================
Security alert impact spreadsheet: Oracle Security Alerts
Individual Assessments:
==============
October 2006 CPU (TS13789) : Oracle Announcement
Risk assessment spreadsheet for October 2006 CPU: October 2006 CPU
July 2006 CPU (372928.1) : Oracle Announcement
--------------------------------
Risk assessment spreadsheet for July 2006 CPU: July 2006 CPU
April 2006 CPU (360044.1) : Oracle Announcement
--------------------------------
A detailed risk assessment spreadsheet for the April 2006 CPU has not been added because the determination that the entire patch set was needed makes that level of detail unnecessary. We have released a patch set installer in response to the April 2006 CPU. More information can be found on the CA tech support advisories page: Support Advisories. If more specific information is needed on the April 2006 CPU, please review this document from Oracle: Oracle Announcement
January 2006 CPU (343384.1) : Oracle Announcement
-------------------------------------
A detailed risk assessment spreadsheet for the January 2006 CPU has not been added because the determination that the entire patch set was needed makes that level of detail unnecessary. We have released a patch set installer in response to the January 2006 CPU. More information can be found on the CA tech support advisories page: Support Advisories. If more specific information is needed on the January 2006 CPU, please review this document from Oracle: Oracle announcement
October 2005 CPU (333953.1) : Oracle Announcement
-------------------------------------
A detailed risk assessment spreadsheet for the October 2005 CPU has not been added because the determination that. the entire patch set was needed makes that level of detail unnecessary. We have released a patch set installer in response to the October 2005 CPU, and details can be found in this document: October 2005 CPU. If more specific information is needed on the October CPU, please review this document from Oracle: Oracle announcement
July 2005 CPU (311034.1) : Oracle Announcement
--------------------------------
Risk assessment spreadsheet for July 2005 CPU: July 2005 CPU
April 2005 CPU (301040.1) :
--------------------------------
Risk assessment spreadsheet for April 2005 CPU: April 2005 CPU
January 2005 CPU (293953.1)
------------------------------------
Risk assessment spreadsheet for January 2005 CPU: January 2005 CPU
The script to remove the risks associated with the CPUs mentioned above is here: Oracle CPU script. Note: this script fixes minor issues that do not require the use of the Oracle Universal Installer.
If you have any questions regarding this process, please contact CA eHealth Technical Support for assistance.
.Related Issues/Questions:
How does CA handle security patches and other patches from Oracle
CA's approach to patches and security advisories from Oracle
Oracle patch policy
How to apply Oracle patches to eHealth
Technical Support Announcement: Oracle Patch Release Policy for eHealth 5.6.5, 5.7 and 6.0
Problem Environment:
eHealth
Oracle
Technical Support Announcement
(Legacy KB ID CNC TS13789 )
Environment
Component:
Attachments
Feedback
