Oracle has released the Oracle 9.2.0.8 April 2007 Critical Patch Update (CPU) Windows 32-bit patch much ahead of scheduled April 30th date.  Media reports (here) were critical of Oracle's failure to release this patch in a timely manner due to the severity of one of the bugs affecting the database running on the Windows platform.

However, the Oracle E-Business Suite patch available matrix has not yet been updated (Metalink Note ID 420072.1) to reflect the change and still has the April 30th date.  It is most likely just an oversight, although the issue with the patch may be related to the Oracle E-Business Suite.  If you are planning on or need to apply the patch this weekend, you should open a TAR with Oracle to verify the correct course of action.

Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous nine with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.1 patch.

There are important patches for issues in iStore and iSupport that should be fixed as soon as possible.

Oracle Oracle Critical Patch Update - April 2007 - E-Business Suite Impact

Oracle Critical Patch Update - April 2007 - Version Support Matrix
 

I will be presenting an OAUG eLearning Community Thursdays session on April 26 giving additional information on the CPU and its impact on your Oracle Applications implementation.  You can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=4/1/2007

Integrigy has released an advisory regarding an undisclosed security vulnerability in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS). The attacker must have direct SQL*Net access to the database (e.g., SQL*Plus) and to exploit the vulnerability neither of the Oracle Applications security features "Managed SQL*Net Access" and "Server Security" can be enabled.

In a majority of Oracle Applications implementations, neither "Managed SQL*Net Access" nor "Server Security" are enabled. "Managed SQL*Net Access" is enabled by default beginning with 11.5.10, although, it is commonly disabled due to the complexity of managing permitted hosts and the limitations in only allowing a small number of hosts direct access to the database. "Sever Security" is not enabled by default in any version of Oracle Applications and seldom is enabled as the purpose and security benefits of this feature are poorly understood. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access".

The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published.   There are a number of ways an attacker (most likely an insider) may obtain encrypted password strings, including through ad-hoc query access, from cloned instances like development, or through SQL injection vulnerabilities in the application or standard database packages. The advisory relates to an additional method of obtaining encrypted passwords strings through exploitation of a specific undisclosed security vulnerability.

For more information see the Integrigy Security Advisory Oracle Applications 11i Encrypted Password Disclosure

Here is a brief analysis of the pre-release announcement for the upcoming April 2007 Critical Patch Update (CPU) -

• Overall, 37 security vulnerabilities are fixed in this CPU, which is much lower than average but in the range of previous CPUs (Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix is similar to previous CPUs with the notable addition of Oracle Secure Enterprise Search.  All supported Oracle Database, Oracle Application Server, Oracle Enterprise Manager, and Oracle E-Business Suite versions are included.

Oracle Database

• There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.
• Two of the vulnerabilities impact database client installations, which may require a significant patching effort.
• At least two of the database security vulnerabilities have a CVSS metric of 7.0, which for database vulnerabilities is severe (7.0 is really the practical maximum for a database vulnerability).
• The major version support change is that it appears 10.2.0.1 will not be supported for the major platforms (Sun Solaris SPARC, HP/UX, IBM AIX, Linux, Windows x86).

Oracle Application Server

• The security vulnerabilities exist in COREid Access, Discoverer, Portal, Wireless, Workflow, and Secure Enterprise Search.  None of the issues appear to affect the Oracle HTTP Server (Apache).
• The major version support changes are that Oracle Application Server 9.0.4.1 and 9.0.4.2 are no longer supported.

Oracle E-Business Suite 11i and R12

• There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities.  These security bugs most likely exist in iStore, iSupport, and/or iProcurement, which will require immediate patching.
• All supported versions are included (11.5.7 to 11.5.10 CU2 and 12.0.0).
• Error Correction Support (ECS) for 11.0.3 ended February 28, 2007.  There are no CPU patches available for 11.0.3 after the January 2007 CPU, even though many of the security vulnerabilities most likely exist in this version.

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
  
• The database client patches will need to be carefully evaluated to determine the impact and potential patching effort.
• Customers running iStore, iSupport, and/or iProcurement should considering applying these patches ASAP.

Note: The pre-release announcement is removed when the CPU is released.