The Problem
A state government organization was running an Oracle 10g Internet Application Server (iAS, aka OAS) environment with Oracle APEX 4.x, Oracle Forms 10g, and Oracle Reports 10g. In late 2014, an SSL mand-in-the-middle vulnerability was found in environments running SSL in Oracle iAS 10g. The client needed urgent help to patch the environment to protect against the POODLE vulnerability.
The Solution
Since this was the fourth or fifth time M&S had been protecting environments through patches and configuration, the project was very familiar to M&S consultants. M&S understood the environment and architecture and laid out a plan to address DEV, TEST, and PROD. Only PROD had SSL enabled, so decisions were made about the best ways and risks associated to conducting work in other environments that did not mimic production.
The Results
It turns out that patching in DEV and TEST was smooth, but PROD environments did not patch without errors. Due to the uptime requirements for the environment that thousands of users internal and external to the state government relied on daily, resolution of the issues needed to happen rapidly, or a rollback processes needed to begin quickly. In the end, M&S was able to resolve all issues in PROD and successfully patch and protect against the POODLE vulnerability within the timeline and budget planned.