Oracle Critical Patch Update October 2010 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming October 2010 Oracle Critical Patch Update (CPU) -

Overall, 50 Oracle security vulnerabilities are fixed in this CPU, which is a average number and well within the range of previous CPUs (Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
The Oracle product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

This is the first CPU to exclude 9.2.0.8 as extended support ended July 2010. The only other major change is the inclusion of Oracle Application Server/Fusion Middleware versions 10.1.3.5.0 and 11.1.1.x.
The highlight of this CPU is 6 of 8 Oracle Application Server/Fusion Middleware security vulnerabilities are remotely exploitable without authentication. The vulnerabilities are in BI Publisher, BPEL Console, Cabo/UIX, Forms, OID, and Perl components.
Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle October 2010 CPU E-Business Suite Impact Webinar Thursday, October 21, 2pm ET and (2) Oracle October 2010 CPU Oracle Database Impact Webinar Thursday, October 28, 2pm ET.

Oracle Database

There are 7 database vulnerabilities and one is remotely exploitable without authentication.
Since at least one database vulnerability has a CVSS 2.0 metric of 7.5 (practical maximum for a database vulnerability), this is a fairly important CPU. Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.

Oracle Application Server

There are 8 new Oracle Application Server vulnerabilities, 6 of which are remotely exploitable without authentication. All the vulnerabilities appear to be in components not normally exposed externally.

Oracle E-Business Suite 11i and R12

There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities, 5 of which are remotely exploitable without authentication.
The vulnerabilities are in the Oracle Applications Manager, Oracle Applications Technology Stack, Oracle E-Business Intelligence, Oracle iRecruitment, and Oracle Territory Management. Of most interest will be the vulnerabilities in iRecruitment and these might exploitable in externally accessible web pages. Customers running iRecruitment should prepare to apply the patches immediately.

Planning Impact

We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in iRecruitment to determine if these pages are blocked by the URL firewall. If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.