This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the April 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

 

The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations.  The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.

I presented 3 sessions between IOUG and OAUG, which were all well attended with over 150 people per session.  I guess security is really starting to become ingrained at many organizations.  I was somewhat surprised at the number of organizations relatively current with CPU patches based on the informal and highly unscientific "show of hands" surveys.

The PowerPoint presentations from my 3 sessions can be downloaded here -

Oracle Applications Users Group (OAUG)

Oracle E-Business Suite Critical Patch Updates: Insight and Understanding

Independent Oracle Users Group (IOUG)

Oracle Database Critical Patch Updates: Unwrapped

Real-life Database Security Mistakes

 

Here is a brief analysis of the pre-release announcement for the upcoming April 2008 Oracle Critical Patch Update (CPU) -

• Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for Siebel.
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
• The major CPU version support changes for April 2008 are -
  
• Database version 10.2.0.2 is only supported for Solaris x86 and VMS
• Oracle E-Business Suite 11i will require ATG RUP5 or RUP6
• Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the January 2008 CPU note (Metalink Note ID 466757.1), patches for database version 10.1.0.5 on several platforms will be available only upon request for the April 2008 CPU.  For the Oracle Application Server, many platforms have "On Request" patches across all versions, especially 9.0.4.3.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
  
  

Oracle Database

• There are 17 database vulnerabilities and two are remotely exploitable without authentication.  Since APEX, Net Services, Authentication, and UltraSearch are included as affected components, it will be very interesting to see where the remotely exploitable vulnerabilities lie.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.6, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• According to the January 2008 CPU notes, there is very limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the April 2008 CPU: Solaris X86 and VMS.

Oracle Application Server

• There are 3 new Oracle Applications vulnerabilities, all of which are remotely exploitable without authentication.  Two impact the Oracle Application server components Oracle Dynamic Monitoring Service and Oracle Portal.  The third vulnerability is in Oracle Jinitiator, which is a client installed product.
  

Oracle E-Business Suite 11i and R12

• 7 of the 11 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework and AOL, so all implementations should consider most of these patches as important.
  

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.

In the Oracle pre-release announcement for the April 2008 Critical Patch Update, one line in particular did catch my attention. I know Oracle has purchased many companies in the past few years.  So how many products does Oracle have?  Well, the CPU pre-release announcement states that --

"This Critical Patch Update contains 41 security fixes across hundreds of Oracle products."

I am assuming every Oracle E-Business Suite module counts as a separate product and potentially every database component, so there would be several hundred.  I wonder if Oracle has an official count of products somewhere.  There are 642 products listed in the Bug Search in Metalink.

Just something to think about when you are reviewing a CPU as it includes fixes for over 600 Oracle products.

For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  COLLABORATE 08 is next week, Sunday, April 13 through Thursday, April 17 in Denver.  This year there will be over 500 technical sessions covering virtually every Oracle product. 

Integrigy's CTO, Stephen Kost, will be presenting three technical sessions, participating on a panel, and co-presenting in pre/post conference workshops.

Oracle Applications Users Group (OAUG)

Oracle Critical Patch Updates: Insight and Understanding
Tuesday, April 15, 2008
3:30 PM-4:30 PM

Securing the Oracle E-Business Suite Best Practices Panel
Moderated by Randy Giefer of Solution Beacon
Monday, April 14, 2008
8:00 AM-9:00 AM

Independent Oracle Users Group (IOUG)

120: Oracle Critical Patch Updates Unwrapped
Wednesday, April 16, 2008
1:30 PM - 2:30 PM

383: Real-life Database Security Mistakes
Thursday, April 17, 2008
11:00 AM - 12:00 PM

Pre and Post Conference OAUG Workshops

In conjunction with Jeff Hare of ERP Seminars, Stephen Kost is presenting a 1 hour session on Oracle Applications security at the "Oracle E-Business Suite Internal Controls and Security" pre and post conference workshops.  Integrigy is pleased to be collaborating with Jeff Hare on these workshops as he is one of the world's leading experts on Oracle Applications internal controls. 

Internal Controls and Security Best Practices in an Oracle Applications Environment

• Sunday, April 13 9:00 a.m. - 5:00 p.m.
• Thursday, April 17 9:00 a.m. - 5:00 p.m.

This workshop is an additional fee and requires a separate registration.  More information on the workshops is available on the OAUG COLLABORATE Website.

See you in Denver!

A point of contention and confusion regarding Oracle Critical Patch Update (CPU) database patches is that only a limited set of database patchsets are supported.  For the January 2008 CPU, only the patchsets 9.2.0.8, 10.1.0.5, 10.2.0.2, 10.2.0.3, and 11.1.0.6 are supported.  Oracle's policy is stated in the CPU Frequently Asked Questions (FAQ) (Metalink Note ID 360470.1) -

The "Database, FMW, and OCS Software Error Correction Support Policy Version 2.1" (Metalink Note ID 209768.1) provides more details on the CPU support policy, since there are a number of exceptions or deviations in the policy based on platforms and extended support.  Appendix A gives exact timing for patchset support for the database and Fusion middleware, which is 1 year from the release of the most current patchset.  For database versions under Extended Support, CPU patches will be available for the terminal patchset until Extended Support period ends.

Based on Oracle's policy, all organizations as a matter of policy should apply a database patchset at least annually in order to apply CPU patches on a timely basis.  Oracle maintains strict adherence to this policy with few exceptions.  With the release of 10.2.0.4 in February/March 2008 for Linux and other platforms, CPU support for 10.2.0.3 should be ending March 2009 -- this means no April 2009 CPU for 10.2.0.3.  This support timeline can be problematic for some databases as the application may not allow or certify the newest patchset for a number of months, thus cutting this year to a few months in some cases.

(This may be difficult for many organizations to fathom since many have not yet applied April 2007 nor upgraded from 10.2.0.2.)

An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes.  The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult to to determine the true impact of a specific CPU patch.  By including non-security related fixes in the CPU patch reduces the confidence that the patch will not break something.

With the introduction of the "n-apply" patch structure for 10.2.0.3 in the July 2007 CPU, Oracle's policy changed for 10.2.0.3 and later patchsets in that non-security fixes are no longer included in the CPU patches.  From Metalink Note ID 209768.1 Software Error Correction Policy 2.1 -

Starting with Database patch set 10.2.0.3, CPUs have security fixes and any pre-requisite non-security fixes, but no longer contain non-security fixes introduced to resolve patch conflicts.  Even though Oracle intends to include mainly security fixes in CPUs, we may decide to include high-priority non-security fixes. We will always identify them in the CPU documentation.

This policy is for non-Windows platforms as the Windows CPU database patches are still released as patch bundles (e.g., Patch 16).

The disadvantage of this new policy is that some customers will experience a greater number of patch conflicts requiring merge patches.  The "n-apply" patch structure does allow for partial patch installation which reduces the overall exposure and fixes most of the security bugs while waiting for Oracle to create a merge patch.