Entries For: 2009
- July (4)
- June (1)
- May (1)
- April (2)
- January (2)
July 31, 2009
Oracle Critical Patch Update October 2009 - 12.0.3 or Higher Only
For those of you who didn't read the Oracle Critical Patch Update (CPU) July 2009 Oracle E-Business Suite documentation (Metalink Note ID 836258.1) closely enough, Oracle has now established a minimum baseline for R12.
Starting with the October 2009 Critical Patch Update -
Starting with the October 2009 Critical Patch Update -
The new minimum supported baseline will be Release 12.0.3; that is, Oracle E-Business Suite Critical Patch Updates will only be available for customers on Release 12.0.3 or higher.
Categories:
Oracle Critical Patch Update October 2009 - 11i ATG RUP6 or RUP7 Only
Oracle has officially released the latest Oracle Applications Technology update patch which is formally known as Oracle Applications Technology 11i.ATG_PF.H.delta.7 (RUP7). The patch number is 6241631.
The Oracle policy for Oracle E-Business Suite 11i Critical Patch Updates is very clear -
One advantage of applying RUP7 is that it contains Oracle Applications Technology (ATG) security fixes for core ATG products from the January 2005 Critical Patch Update (CPUJan2005) through the July 2009 Critical Patch Update (CPUJul2009). The following core ATG products are included in 11i.ATG_PF.H.delta.7: FND, OAM, OWF, FWK, JTT, JTA, TXK, XDO, ECX, EC, AK, ALR, UMX, BNE, and FRM. Note that this is a large subset of the 11i CPU patches, but does not include any functional module patches such as AP, iStore, etc. You still must review all previous CPUs for missing EBS CPU patches.
The Oracle policy for Oracle E-Business Suite 11i Critical Patch Updates is very clear -
Oracle Applications Technology (ATG) Minimum Supported Baseline:
Beginning with the July 2007 Critical Patch Update (CPUJul2007), Oracle Applications Technology only supports the current and previous production rollups (RUPn and RUPn-1) as patching baselines for all 11i releases.
One advantage of applying RUP7 is that it contains Oracle Applications Technology (ATG) security fixes for core ATG products from the January 2005 Critical Patch Update (CPUJan2005) through the July 2009 Critical Patch Update (CPUJul2009). The following core ATG products are included in 11i.ATG_PF.H.delta.7: FND, OAM, OWF, FWK, JTT, JTA, TXK, XDO, ECX, EC, AK, ALR, UMX, BNE, and FRM. Note that this is a large subset of the 11i CPU patches, but does not include any functional module patches such as AP, iStore, etc. You still must review all previous CPUs for missing EBS CPU patches.
Categories:
July 15, 2009
Oracle Critical Patch Update (CPU) - July 2009 - E-Business Suite Impact
Oracle released the nineteenth Critical Patch Update (CPU) on Tuesday, July 14, 2009 (CPU July 2009/CPUJul09). This quarter is the same as the previous eighteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 12 of the 30 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963). One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.
For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication. These customers should carefully review these vulnerabilities and patch as soon as possible.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - July 2009 - E-Business Suite Impact
The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963). One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.
For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication. These customers should carefully review these vulnerabilities and patch as soon as possible.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - July 2009 - E-Business Suite Impact
July 13, 2009
Oracle Critical Patch Update July 2009 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2009 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database. It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU. Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
- There are no major version support changes in for this CPU.
Oracle Database
- There are 10 database vulnerabilities and three are remotely exploitable without authentication. As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
- The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components. One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
- Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).
- There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools. The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk. For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later. Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.
Oracle E-Business Suite 11i and R12
- There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
- Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
- This is the first CPU with a patch for 12.1.
Planning Impact
- The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
June 16, 2009
11i ATG RUP7 and Critical Patch Updates Impact
Oracle has hinted at the upcoming release of Oracle E-Business Suite 11i.ATG_PF.H.delta.7 (or commonly referred to as RUP7) and will be most likely available in the next several months as it is currently under going internal testing. Oracle Critical Patch Update patches for Oracle E-Business Suite 11i have the latest ATG RUP patches as a prerequisite - the official prerequisite is RUP N or RUP N-1 is required. The last RUP was ATG RUP6 (5903765) released in October 2007.
Currently for April 2009 CPU patches, RUP5 or RUP6 is required. Due to timing, most likely for July 2009 CPU patches, RUP5 or RUP6 will be required. For planning purposes, it should be assumed that for October 2009 CPU patches, only RUP6 and RUP7 will be supported.
Also, since April 2009 and for all future CPUs, the only 11i CPU supported database versions are 9.2.0.8, 10.1.0.5, 10.2.0.4, and 11.1.0.7.
Currently for April 2009 CPU patches, RUP5 or RUP6 is required. Due to timing, most likely for July 2009 CPU patches, RUP5 or RUP6 will be required. For planning purposes, it should be assumed that for October 2009 CPU patches, only RUP6 and RUP7 will be supported.
Also, since April 2009 and for all future CPUs, the only 11i CPU supported database versions are 9.2.0.8, 10.1.0.5, 10.2.0.4, and 11.1.0.7.
Categories:
May 07, 2009
COLLABORATE 09 Integrigy Presentations
The COLLABORATE 09 conference has completed and from all accounts was a success. For those of you not familiar with COLLABORATE, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. This year's conference had over 1,000 technical sessions covering virtually every Oracle product. Integrigy delivered 3 security related presentations and I have upload the presentations to our Security Resources section under Whitepapers and Presentations. Here are the links -
Oracle Critical Patch Updates: Insight and Understanding
Real World Database Auditing
Oracle Applications Users Group (OAUG)
Oracle Critical Patch Updates UnwrappedIndependent Oracle Users Group (IOUG)
Oracle Critical Patch Updates: Insight and Understanding
Real World Database Auditing
Categories:
April 29, 2009
Integrigy at COLLABORATE 09
For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. COLLABORATE 09 is next week, Sunday, May 3 through Thursday, May 7 in Orlando. This year there will be over 1,000 technical sessions covering virtually every Oracle product.
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions:
Oracle Critical Patch Updates Unwrapped
Session #1936
Wednesday, May 6, 2009
9:45am - 10:45am
Oracle Critical Patch Updates: Insight and Understanding
Session #359
Wednesday, May 6, 2008
8:30am - 9:30am
Real World Database Auditing
Session #602
Tuesday, May 5, 2009
11:00 AM - 12:00 PM
See you in Orlando!
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions:
Oracle Applications Users Group (OAUG)
Oracle Critical Patch Updates Unwrapped
Session #1936
Wednesday, May 6, 2009
9:45am - 10:45am
Independent Oracle Users Group (IOUG)
Oracle Critical Patch Updates: Insight and Understanding
Session #359
Wednesday, May 6, 2008
8:30am - 9:30am
Real World Database Auditing
Session #602
Tuesday, May 5, 2009
11:00 AM - 12:00 PM
See you in Orlando!
Categories:
April 17, 2009
Oracle Critical Patch Update - April 2009 - E-Business Suite Impact
Oracle released the eighteenth Critical Patch Update (CPU) on Tuesday, April 14, 2009 (CPU April 2009/CPUApr09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 43 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
Again this quarter there are a number of database vulnerabilities that can be exploited by lowly privileged database accounts, including the APPLSYSPUB account. Also, there are 2 denial of service vulnerabilities - one in the database listener and the other in the RAC Cluster Ready Services.
For the Application Server, no action is required for Oracle E-Business Suite 11i. For R12, there is a serious vulnerability in OPMN which is installed and used and multiple issues in BI Publisher (formerly XML Publisher).
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.07 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - April 2009 - E-Business Suite Impact
Again this quarter there are a number of database vulnerabilities that can be exploited by lowly privileged database accounts, including the APPLSYSPUB account. Also, there are 2 denial of service vulnerabilities - one in the database listener and the other in the RAC Cluster Ready Services.
For the Application Server, no action is required for Oracle E-Business Suite 11i. For R12, there is a serious vulnerability in OPMN which is installed and used and multiple issues in BI Publisher (formerly XML Publisher).
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.07 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - April 2009 - E-Business Suite Impact
Categories:
January 15, 2009
Oracle Critical Patch Update - January 2009 - E-Business Suite Impact
Oracle released the seventeenth Critical Patch Update (CPU) on Tuesday, January 13, 2009 (CPU January 2009/CPUJan09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 10 of the 41 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
This quarter does have a higher than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - April 2008 - E-Business Suite Impact
Oracle Critical Patch Update - April 2008 - Version Support Matrix
.
This quarter does have a higher than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - April 2008 - E-Business Suite Impact
Oracle Critical Patch Update - April 2008 - Version Support Matrix
.
Categories:
January 08, 2009
Oracle Critical Patch Update January 2009 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming January 2009 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, and 12.0.x
- The highlight of this CPU are 9 remotely exploitable without authentication vulnerabilities in Oracle Secure Backup. All customers running Oracle Secure Backup will need to carefully evaluate the impact of these vulnerabilities.
- There are no major version support changes in for this CPU. It is important to note that this will be the last CPU for database versions 10.2.0.2 and 10.2.0.3.
Oracle Database
- There are 10 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs. Usually, the vast majority of database vulnerabilities require authentication. However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
- The vulnerability of most interest is in the "Job Queue" component as there have been no previous vulnerabilities in this component.
- At least one of the database security vulnerabilities has a CVSS 2.0 metric of 5.5, which for database vulnerabilities should be considered medium to high risk for a database vulnerability. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
- There are 2 vulnerabilities in SQL*Plus Windows GUI (sqlplusw) client-side installation. Previously, these type of client-side have been buffer overflows in passed parameters or environmental variables.
Oracle Application Server
- There are 4 new Oracle Application Server vulnerabilities, 2 of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in OC4J, Oracle BPEL Process Manager, Oracle JDeveloper, and Oracle Portal.
Oracle E-Business Suite 11i and R12
- There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication. It may be possible to exploit the one Oracle Applications Framework using any application account or generic accounts through modules such as iStore or iRecruitment.
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Subscribe via RSS
Add to Google
Add to Yahoo!
Other Services