I understand October 2020 Oracle patches included security updates for Oracle Data Integrator (ODI) version 12.2.1.3.0.
The application admin who is managing ODI for us is really new and used to be with Windows desktop support. He is willing to help but needs guidance on what to look for.
-
How can we determine if the Oracle Data Integrator version 12.2.1.3.0 we are running is vulnerable to CVE 2020-5398 or not? The application admin ran a Qualys scan and it did not detect vulnerability for CVE 2020-5398 but an auditor is going to be visiting us soon so we need another confirmation that we are not impacted for CVE 2020-5398. The application admin asked people he knew and did not hear that anyone was using Spring framework whose vulnerability is fixed in CVE 2020-5398 and did not hear anything but since he is new, he is not sure if CVE 2020-5398 affects us or not.
-
Is there any tool/script by Oracle by which we can definitively know what vulnerabilities affect us for the Oracle Data Integrator version 12.2.1.3.0?
3.How can we ensure that we are patched for Oracle released updates and did not miss anything? We use Qualys application to scan our systems for vulnerabilities but our auditor needs a second confirmation.
Best Answer
Logon to My Oracle Support and search for "CVE 2020-5398". I just did that and there are many hits listing patches that address this.
But let's suppose a hypothetical question. Suppose the vulnerability is not fixed by any available patch. What is your next course of action?