For those of you who didn't read the Oracle Critical Patch Update (CPU) July 2009 Oracle E-Business Suite documentation (Metalink Note ID 836258.1) closely enough, Oracle has now established a minimum baseline for R12.

Starting with the October 2009 Critical Patch Update -

The new minimum supported baseline will be Release 12.0.3; that is, Oracle E-Business Suite Critical Patch Updates will only be available for customers on Release 12.0.3 or higher.

This is a significant update for some customers due to the size and impact of the patch.

Oracle has officially released the latest Oracle Applications Technology update patch which is formally known as Oracle Applications Technology 11i.ATG_PF.H.delta.7 (RUP7).  The patch number is 6241631.

The Oracle policy for Oracle E-Business Suite 11i Critical Patch Updates is very clear -

Oracle Applications Technology (ATG) Minimum Supported Baseline:

Beginning with the July 2007 Critical Patch Update (CPUJul2007), Oracle Applications Technology only supports the current and previous production rollups (RUPn and RUPn-1) as patching baselines for all 11i releases.

With the release of ATG RUP7, the minimum supported baseline for the October 2009 Critical Patch Update (CPU) will be ATG RUP6 or RUP7.  Therefore, in order to apply the October 2009 Oracle EBS CPU patches, you must be on RUP6 or RUP7.

One advantage of applying RUP7 is that it contains Oracle Applications Technology (ATG) security fixes for core ATG products from the January 2005 Critical Patch Update (CPUJan2005) through the July 2009 Critical Patch Update (CPUJul2009).  The following core ATG products are included in 11i.ATG_PF.H.delta.7: FND, OAM, OWF, FWK, JTT, JTA, TXK, XDO, ECX, EC, AK, ALR, UMX, BNE, and FRM.  Note that this is a large subset of the 11i CPU patches, but does not include any functional module patches such as AP, iStore, etc.  You still must review all previous CPUs for missing EBS CPU patches.

Oracle released the nineteenth Critical Patch Update (CPU) on Tuesday, July 14, 2009 (CPU July 2009/CPUJul09). This quarter is the same as the previous eighteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 12 of the 30 vulnerabilities fixed impact the Oracle E-Business Suite.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963).  One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.

For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication.  These customers should carefully review these vulnerabilities and patch as soon as possible.

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - July 2009 - E-Business Suite Impact

Here is a brief analysis of the pre-release announcement for the upcoming July 2009 Oracle Critical Patch Update (CPU) -

• Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU.  Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
  
• There are no major version support changes in for this CPU.
  

Oracle Database

• There are 10 database vulnerabilities and three are remotely exploitable without authentication.  As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
• The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components.  One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
• Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).

Oracle Application Server

• There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools.  The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk.  For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later.  Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.
  

Oracle E-Business Suite 11i and R12

• There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
• Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
• This is the first CPU with a patch for 12.1.

Planning Impact

• The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs. 
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.