Patching – Application Management – SOA-C02 Study Guide

Patching

This section covers the following official AWS Certified SysOps Administrator – Associate (SOA-C02) exam topic for Domain 3: Deployment, Provisioning, and Automation:

3.1 Provision and maintain cloud resources

3.2 Automate manual or repeatable processes

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

1. A _____ is a collection of hot fixes.

2. For the term N-1, N refers to the most _____release of software.

Answers

1. Answer: A rollup is a collection of hot fixes. In some cases, the rollup might contain more than just security updates, but the main focus is to address a collection of security or critical issues with a single update.

2. Answer: For the term N-1, N refers to the most recent stable release of software, and N-1 refers to the previous most recent stable release of the software.

In the following sections, you learn about different types of patches that you may deploy on cloud resources. You also explore different patch features.

Security Patches

A security patch is a specific type of software update that is designed to address a vulnerability. Software updates are normally scheduled in advance; for example, an update for a particular software program may come out every three months. When a vulnerability is made known to the software vendor, it is often not near the date of a regular software update. Even if it was near the date for a regular update, the steps to implement the vulnerability fix in the new release may pose a logistical challenge because the update has new changes to the software.

A patch is used instead to create a temporary fix to the problem. Patches are released as needed, often without advance warning. You can keep up with patches by either subscribing to the software vendor’s notification system or by viewing Common Vulnerability and Exposure (CVE) notices at https://cve.mitre.org/.

Hot Fixes

When you see the term hot fix, think “quick fix.” A hot fix isn’t intended to be a long-term solution, but rather something to fix the problem while the software vendor works on a more robust and permanent fix. A virtual patch (see the “Virtual Patches” section later) is an example of a hot fix.

Scheduled Updates

As mentioned previously, a scheduled update isn’t a patch, but it may contain code that addresses vulnerabilities like a patch does. Most likely the vulnerabilities have been addressed via previous patches, but occasionally a new vulnerability is fixed with a scheduled update.

Virtual Patches

Virtual patches don’t really address a vulnerability directly but make use of another tool, like a Web Application Firewall (WAF), to provide a short-term fix to the problem. With a virtual patch, a small application is attached to the software with the goal to block access that the vulnerability currently allows.

Signature Updates

A signature update is associated with antivirus software. A virus signature is much like a fingerprint of the virus. Antivirus programs use this signature to determine whether a virus has infected a system.

Ensuring the antivirus signatures are up to date on a system is a very high priority.