Oracle October 2010 CPU - Oracle Database Impact
Thursday, October 28, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly educational session will focus on the October 2010 CPU and the impact on the Oracle Database. The topics will include:

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

Integrigy's CTO, Stephen Kost, will be presenting a series of webinars on Oracle's Critical Patch Update for October 2010.

Oracle October 2010 CPU - Oracle E-business Suite Impact
Thursday, October 21, 2:00pm - 3:00pm EDT

This quarterly eLearning session will focus on the October 2010 CPU and the impact on E-Business Suite environments.

Topics will include;

• a review of the security vulnerabilities fixed in the CPU,
• an analysis of the required CPU patches,
• a discussion of a high-level patch strategy.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle E-Business Suite webinar.


Oracle October 2010 CPU - Oracle Database Impact
Thursday, October 28, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the October 2010 CPU and the impact on the Oracle Database. The topics will include:

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

The news reports describing the October 2010 Oracle Critical Patch Update (CPU) are using terms like "giant", "massive", and practically every other known synonym for a really big security patch release.  These news reports must be resonating with CIOs and CSOs as Integrigy has received a number of client calls and a huge response to our upcoming webinars detailing this CPU.

As always a little perspective and analysis is required to quantify what is actually in the CPU and the risk to an organization.  First, lets look at the 85 vulnerabilities patched in the CPU to see how this CPU compares with previous CPUs -

• 75% (63 of 85) of the bugs fixed in this CPU are in products Oracle has acquired since the release of the first CPU in January 2005.

• 40% (36 of 85) of the bugs fixed in this CPU are in products Oracle has owned for less than a year (Sun).
• Only 7 database vulnerabilities are fixed this quarter where the historical average is 16.5 database bugs per quarter.
• Only 6 E-Business Suite vulnerabilities are fixed this quarter where the historical average is 9 bugs per quarter.

A more detailed look at the security bug count and maximum CVSS score by quarter shows this CPU for the Oracle Database and Oracle E-Business Suite is average or slightly below for both bug count and maximum CVSS score.  Integrigy's preliminary analysis of this CPU shows 4 of the 7 database vulnerabilities can be exploited with no database credentials or just CREATE SESSION system privilege, which is consistent with previous CPUs - the other 3 vulnerabilities actually require advanced or infrequently granted privileges or roles like EXECUTE_CATALOG_ROLE.

Clearly for the Oracle Database and Oracle E-Business Suite, this CPU is no different than the previous twenty-three CPUs and should be handled with the same processes and prioritization as previous CPUs.

Upcoming Integrigy Oracle Critical Patch Update Webinars

Oracle October 2010 CPU E-Business Suite Impact Webinar
Thursday, October 21, 2-3pm EDT

Oracle October 2010 CPU Oracle Database Impact Webinar
Thursday, October 28, 2-3pm EDT

Here is a brief analysis of the pre-release announcement for the upcoming October 2010 Oracle Critical Patch Update (CPU) -

• Overall, 50 Oracle security vulnerabilities are fixed in this CPU, which is a average number and well within the range of previous CPUs (Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  
• The Oracle product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
  
• Application Server = 10.1.2.3.0, 10.1.3.5.0, 11.1.1.1.0, 11.1.1.2.0
  
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• This is the first CPU to exclude 9.2.0.8 as extended support ended July 2010.  The only other major change is the inclusion of Oracle Application Server/Fusion Middleware versions 10.1.3.5.0 and 11.1.1.x.
• The highlight of this CPU is 6 of 8 Oracle Application Server/Fusion Middleware security vulnerabilities are remotely exploitable without authentication.  The vulnerabilities are in BI Publisher, BPEL Console, Cabo/UIX, Forms, OID, and Perl components.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle October 2010 CPU E-Business Suite Impact Webinar Thursday, October 21, 2pm ET and (2) Oracle October 2010 CPU Oracle Database Impact Webinar Thursday, October 28, 2pm ET.

Oracle Database

• There are 7 database vulnerabilities and one is remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 7.5 (practical maximum for a database vulnerability), this is a fairly important CPU.  Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
  

Oracle Application Server

• There are 8 new Oracle Application Server vulnerabilities, 6 of which are remotely exploitable without authentication.  All the vulnerabilities appear to be in components not normally exposed externally.
  

Oracle E-Business Suite 11i and R12

• There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities, 5 of which are remotely exploitable without authentication.
• The vulnerabilities are in the Oracle Applications Manager, Oracle Applications Technology Stack, Oracle E-Business Intelligence, Oracle iRecruitment, and Oracle Territory Management.  Of most interest will be the vulnerabilities in iRecruitment and these might exploitable in externally accessible web pages.  Customers running iRecruitment should prepare to apply the patches immediately.
  

Planning Impact

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in iRecruitment to determine if these pages are blocked by the URL firewall.  If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.

A potential and unconfirmed cross-site scripting (XSS) vulnerability in the Oracle Application Server has been reported on the Full Disclosure mailing list.  The vulnerability is in the FastCGI module delivered with the Apache httpd server that is incorporated into the Oracle Application Server.  Integrigy has not confirmed the vulnerability as the author has not released details but the author claims this XSS vulnerability is different than those previously fixed in the fcgi-bin echo programs.

Regardless if a vulnerability does or does not exist, the FastCGI echo programs (echo and echo2) should be always removed or disabled in all Oracle Application Servers implementations as they can provide information at an attacker.  To verify if the echo program is installed try http://<host>:<port>/fcgi-bin/echo.

In Oracle's Best Practices for Securing the Oracle E-Business Suite (Metalink Notes 189367.1 page 17 and 403537.1 page 16), there is a recommendation to either remove the reference to fcgi-bin or disable fastcgi.  With AutoConfig, the following lines can be inserted into the custom_apache.conf file.

<Location "^/fcgi-bin/echo.*$">
Order deny,allow
Deny from all
</Location>

Oracle E-Business Suite 11i (11.5.10)
For 11.5.10.x with a recent version of the AutoConfig templates installed (TXK AutoConfig Templates Rollup Patch I or greater), there is no issue as there is a typo in the AutoConfig templates in which the fcgi-bin directory is set to $IAS_TOP/Apache/fcgi-bin rather than $IAS_TOP/Apache/Apache/fcgi-bin.

Oracle E-Business Suite R12 (12.0)
The echo program in 12.0.x is enabled with no restrictions, although in the environments we test echo and echo2 always returned server errors when executing.  We recommend all 12.0 implementations add the above restriction to echo and echo in the custom.conf file.

Oracle E-Business Suite R12 (12.1)
The AutoConfig templates for 12.1 (apps.conf) do include a specific restriction on access to fcgi-bin/echo and fcgi-bin/echo2 in the apps.conf file and the FastCGI module is not loaded (httpd.conf).