Oracle released the seventeenth Critical Patch Update (CPU) on Tuesday, January 13, 2009 (CPU January 2009/CPUJan09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 10 of the 41 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

This quarter does have a higher than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority.

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - April 2008 - E-Business Suite Impact

Oracle Critical Patch Update - April 2008 - Version Support Matrix

.

Here is a brief analysis of the pre-release announcement for the upcoming January 2009 Oracle Critical Patch Update (CPU) -

• Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, and 12.0.x
• The highlight of this CPU are 9 remotely exploitable without authentication vulnerabilities in Oracle Secure Backup.  All customers running Oracle Secure Backup will need to carefully evaluate the impact of these vulnerabilities.
• There are no major version support changes in for this CPU.  It is important to note that this will be the last CPU for database versions 10.2.0.2 and 10.2.0.3.
  

Oracle Database

• There are 10 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs.  Usually, the vast majority of database vulnerabilities require authentication.  However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
  
• The vulnerability of most interest is in the "Job Queue" component as there have been no previous vulnerabilities in this component.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 5.5, which for database vulnerabilities should be considered medium to high risk for a database vulnerability.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• There are 2 vulnerabilities in SQL*Plus Windows GUI (sqlplusw) client-side installation.  Previously, these type of client-side have been buffer overflows in passed parameters or environmental variables.
  

Oracle Application Server

• There are 4 new Oracle Application Server vulnerabilities, 2 of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in OC4J, Oracle BPEL Process Manager, Oracle JDeveloper, and Oracle Portal.
  

Oracle E-Business Suite 11i and R12

• There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication.  It may be possible to exploit the one Oracle Applications Framework using any application account or generic accounts through modules such as iStore or iRecruitment.
  

Planning Impact

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.