Oracle Security Blog http://www.integrigy.com/oracle-security-blog A weblog about Oracle Security, especially the Oracle E-Business Suite 11i and the Oracle Database, written by Integrigy's Chief Technology Officer Stephen Kost Oracle Security Blog http://www.integrigy.com/favicon.ico Upcoming Webinar: Oracle Critical Patch Update July 2010 Database Impact http://www.integrigy.com/oracle-security-blog/archive/2010/07/28/webinar-oracle-cpu-july-2010-database Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
  • A review of the security vulnerabilities fixed in this CPU,
  • An analysis of the required CPU patches,
  • A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for this webinar. 2010-07-28T14:09:11-05:00 2010-07-28T14:09:11-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle Critical Patch Update July 2010 Pre-Release Analysis http://www.integrigy.com/oracle-security-blog/archive/2010/07/11/cpu-july-2010-prerelease Here is a brief analysis of the pre-release announcement for the upcoming July 2010 Oracle Critical Patch Update (CPU) -
  • Overall, 38 Oracle security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  • The Oracle product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
        • Application Server = 10.1.2.3.0
        • E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  • The highlight of this CPU is 4 of 6 Oracle Database security vulnerabilities are remotely exploitable without authentication.  It is rare to have a single remotely exploitable without authentication vulnerability in the database.  Most likely these 4 vulnerabilities are in the Listener, Net Foundation Layer, Network Layer, and/or APEX Application Builder.  If the remotely exploitable vulnerabilities are in the Listener component, then this could only be a denial of service vulnerabilities.
  • There are no major version support changes in for this CPU.
  • Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2010 CPU E-Business Suite Impact Webinar Thursday, July 22, 2pm ET and (2) Oracle July 2010 CPU Oracle Database Impact Webinar Thursday, July 29, 2pm ET.

Oracle Database
  • There are 6 database vulnerabilities and four are remotely exploitable without authentication.
  • Since at least one database vulnerability has a CVSS 2.0 metric of 7.8 (practical maximum for a database vulnerability), this is a fairly important CPU.  Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
Oracle Application Server
  • There are seven new Oracle Application Server vulnerabilities, five of which are remotely exploitable without authentication.  For Oracle Application Server implementations, there is only one vulnerability in the Application Server Control.  Usually, vulnerabilities in the control utilities are only locally exploitable and require a local operating system account to exploit.

Oracle E-Business Suite 11i and R12
  • There are 7 new Oracle E-Business Suite 11i and R12 vulnerabilities, five of which are remotely exploitable without authentication.
  • The vulnerabilities are in the Oracle Advanced Product Catalog, Oracle Applications Framework (OAF), Oracle Applications Manager, and Oracle Knowledge Management.  Of most interest will be the vulnerabilities in the Oracle Applications Framework (OAF) and these might exploitable in externally accessible web pages.

Planning Impact
  • We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
  • Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in the Oracle Applications Framework to determine if these pages are blocked by the URL firewall.  If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.
 2010-07-11T22:11:02-05:00 2010-07-11T22:12:11-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite Upcoming Webinars: Oracle Critical Patch Update July 2010 http://www.integrigy.com/oracle-security-blog/archive/2010/07/09/webinar-oracle-cpu-july-2010 Integrigy's CTO, Stephen Kost, will be presenting a series of webinars on Oracle's Critical Patch Update for July 2010.

Oracle July 2010 CPU - Oracle E-business Suite Impact
Thursday, July 22, 2:00pm - 3:00pm EDT

This quarterly eLearning session will focus on the July 2010 CPU and the impact on E-Business Suite environments.

Topics will include;
  • a review of the security vulnerabilities fixed in the CPU,
  • an analysis of the required CPU patches,
  • a discussion of a high-level patch strategy.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle E-Business Suite webinar.


Oracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT

Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
  • A review of the security vulnerabilities fixed in this CPU,
  • An analysis of the required CPU patches,
  • A discussion of patching including CPUs vs. PSUs.

Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.

Click here to register for the Oracle Database webinar.

 2010-07-09T14:36:27-05:00 2010-07-09T14:38:21-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite Upcoming IOUG Webinar - A Journey Through Enterprise Database Security for DBAs http://www.integrigy.com/oracle-security-blog/archive/2010/05/25/ioug-webinar-database-security Integrigy's CTO, Stephen Kost, will be presenting an Independent Oracle User's Group (IOUG) educational webinar as part of IOUG's Database Security Technical Education Series.

A Journey Through Enterprise Database Security for DBAs
Stephen Kost, Integrigy
Wednesday, May 26, 1:00pm - 2:00pm CT

This presentation is intended for Database Administrators. It will detail the enterprise database security requirements, regulatory requirements and monitoring of databases.

Click here to register for the webinar.

The webinar is free for IOUG Full Members and $49 for Associate Members and Non-members. 2010-05-25T16:58:07-05:00 2010-05-25T16:58:07-05:00 Stephen Kost Oracle Database Integrigy Oracle CPU Virtual Session Live from COLLABORATE 10 http://www.integrigy.com/oracle-security-blog/archive/2010/04/15/collaborate10-virtual For those of you unable to attend the OAUG/IOUG COLLABORATE 10 User Conference in Las Vegas next week, the conference is offering a virtual experience of the conference.  There will be 41 sessions available via webinar live from Las Vegas.  Integrigy is pleased to announce that the following session is included in the roster of Plug-in to Vegas virtual sessions -

Oracle Critical Patch Updates Unwrapped
Session #330
Tuesday, April 20, 2010
2:00pm - 3:00pm 2010-04-15T22:03:38-05:00 2010-04-15T22:06:22-05:00 Stephen Kost COLLABORATE Oracle Critical Patch Update Integrigy at COLLABORATE 10 http://www.integrigy.com/oracle-security-blog/archive/2010/03/30/collaborate10
For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  COLLABORATE 10 is Sunday, April 18, 2010 through Thursday, April 22, 2010 in Las Vegas.  This year there will be over 1,000 technical sessions covering virtually every Oracle product. 

If you are attending and would like to chat about the latest developments in Oracle security or discuss specific security challenges you might be facing, drop me a note and we can arrange to meet.

Integrigy's CTO, Stephen Kost, will be presenting three technical sessions on securing Oracle products and participating on two panels.

Oracle Applications Users Group (OAUG)


Leveraging Oracle Database Security Technologies with Oracle E-Business Suite
Session #4556
Monday, April 19, 2010
10:45am - 11:45am

Panel: Governance, Risk & Compliance SIG Meeting
Session #4699
Tuesday, April 20, 2010
8:00am - 9:00am

Panel: Securing the E-Business Suite - Expert And Best Practices Panel
Session #3676
Wednesday, April 21, 2010
9:15am - 10:15am

Independent Oracle Users Group (IOUG)


Oracle Critical Patch Updates Unwrapped
Session #330
Tuesday, April 20, 2010
2:00pm - 3:00pm

Is Your Auditing Failing You?
Session #600
Thursday, April 22, 2010
11:00am - 12:00pm
(Note: the time for this presentation has changed)

See you in Las Vegas!
 2010-03-30T09:18:41-05:00 2010-04-15T22:07:30-05:00 Stephen Kost COLLABORATE Oracle Critical Patch Update January 2010 Pre-Release Analysis http://www.integrigy.com/oracle-security-blog/archive/2010/01/08/cpu-january-2010-prerelease Here is a brief analysis of the pre-release announcement for the upcoming January 2010 Oracle Critical Patch Update (CPU) -
  • Overall, 24 security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7 for major platforms
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  • The highlight of this CPU are 2 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database.  Most likely these 2 vulnerabilities are in the Listener, APEX Application Builder, and/or Secure Backup.  If the remotely exploitable vulnerabilities are in the Listener component, then this could be a significant and high priority CPU.
  • There are no major version support changes in for this CPU.

Oracle Database
  • There are 10 database vulnerabilities and two are remotely exploitable without authentication.
  • Since at least one database vulnerability has a CVSS 2.0 metric of 10.0, this is a strong indication there a buffer overflow in the Listener component that is remotely exploitable without authentication.  Most likely, the CVSS metric for Windows will be 10.0 and will be 7.5 for Unix/Linux (even though you will be able to fully compromise the database).
Oracle Application Server
  • There are three new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.  The affected components are Access Manager Identify Server and Oracle Containers for J2EE.  With maximum CVSS 2.0 metric of 5.0, these could be cross-site scripting (XSS) vulnerabilities based on the scores and components.

Oracle E-Business Suite 11i and R12
  • There are 3 new Oracle E-Business Suite 11i and R12 vulnerabilities, all of which are remotely exploitable without authentication.
  • The vulnerabilities are in the CRM Technical Foundation (mobile), AOL, and HRMS.  Of most interest will be if the AOL vulnerability is in an externally accessible web page.

Planning Impact
  • The criticality of this quarter's CPU is in-line with previous CPUs. 
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
 2010-01-08T09:21:47-06:00 2010-01-08T09:21:47-06:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite Oracle Critical Patch Update October 2009 - 12.0.3 or Higher Only http://www.integrigy.com/oracle-security-blog/archive/2009/07/31/oracle-cpu-october-2009-r12 For those of you who didn't read the Oracle Critical Patch Update (CPU) July 2009 Oracle E-Business Suite documentation (Metalink Note ID 836258.1) closely enough, Oracle has now established a minimum baseline for R12.

Starting with the October 2009 Critical Patch Update -

The new minimum supported baseline will be Release 12.0.3; that is, Oracle E-Business Suite Critical Patch Updates will only be available for customers on Release 12.0.3 or higher.

This is a significant update for some customers due to the size and impact of the patch. 2009-07-31T10:01:35-05:00 2009-07-31T10:01:35-05:00 Stephen Kost Oracle E-Business Suite Oracle Critical Patch Update Oracle Critical Patch Update October 2009 - 11i ATG RUP6 or RUP7 Only http://www.integrigy.com/oracle-security-blog/archive/2009/07/31/oracle-cpu-october-2009-rup7 Oracle has officially released the latest Oracle Applications Technology update patch which is formally known as Oracle Applications Technology 11i.ATG_PF.H.delta.7 (RUP7).  The patch number is 6241631.

The Oracle policy for Oracle E-Business Suite 11i Critical Patch Updates is very clear -

Oracle Applications Technology (ATG) Minimum Supported Baseline:

Beginning with the July 2007 Critical Patch Update (CPUJul2007), Oracle Applications Technology only supports the current and previous production rollups (RUPn and RUPn-1) as patching baselines for all 11i releases.

With the release of ATG RUP7, the minimum supported baseline for the October 2009 Critical Patch Update (CPU) will be ATG RUP6 or RUP7.  Therefore, in order to apply the October 2009 Oracle EBS CPU patches, you must be on RUP6 or RUP7.

One advantage of applying RUP7 is that it contains Oracle Applications Technology (ATG) security fixes for core ATG products from the January 2005 Critical Patch Update (CPUJan2005) through the July 2009 Critical Patch Update (CPUJul2009).  The following core ATG products are included in 11i.ATG_PF.H.delta.7: FND, OAM, OWF, FWK, JTT, JTA, TXK, XDO, ECX, EC, AK, ALR, UMX, BNE, and FRM.  Note that this is a large subset of the 11i CPU patches, but does not include any functional module patches such as AP, iStore, etc.  You still must review all previous CPUs for missing EBS CPU patches. 2009-07-31T09:52:03-05:00 2009-07-31T09:52:50-05:00 Webmaster Oracle E-Business Suite Oracle Critical Patch Update Oracle Critical Patch Update (CPU) - July 2009 - E-Business Suite Impact http://www.integrigy.com/oracle-security-blog/archive/2009/07/15/oracle-cpu-july-2009 Oracle released the nineteenth Critical Patch Update (CPU) on Tuesday, July 14, 2009 (CPU July 2009/CPUJul09). This quarter is the same as the previous eighteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 12 of the 30 vulnerabilities fixed impact the Oracle E-Business Suite.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963).  One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.

For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication.  These customers should carefully review these vulnerabilities and patch as soon as possible.

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - July 2009 - E-Business Suite Impact 2009-07-15T14:12:46-05:00 2009-07-16T09:39:25-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite Oracle Critical Patch Update July 2009 Pre-Release Analysis http://www.integrigy.com/oracle-security-blog/archive/2009/07/13/cpu-july-2009-prerelease Here is a brief analysis of the pre-release announcement for the upcoming July 2009 Oracle Critical Patch Update (CPU) -
  • Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  • The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU.  Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
  • There are no major version support changes in for this CPU.

Oracle Database
  • There are 10 database vulnerabilities and three are remotely exploitable without authentication.  As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
  • The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components.  One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
  • Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).
Oracle Application Server
  • There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools.  The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk.  For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later.  Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.

Oracle E-Business Suite 11i and R12
  • There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
  • Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
  • This is the first CPU with a patch for 12.1.

Planning Impact
  • The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs. 
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
 2009-07-13T14:18:28-05:00 2009-07-13T14:18:28-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite 11i ATG RUP7 and Critical Patch Updates Impact http://www.integrigy.com/oracle-security-blog/archive/2009/06/16/oracle-cpu-rup7 Oracle has hinted at the upcoming release of Oracle E-Business Suite 11i.ATG_PF.H.delta.7 (or commonly referred to as RUP7) and will be most likely available in the next several months as it is currently under going internal testing.  Oracle Critical Patch Update patches for Oracle E-Business Suite 11i have the latest ATG RUP patches as a prerequisite - the official prerequisite is RUP N or RUP N-1 is required.  The last RUP was ATG RUP6 (5903765) released in October 2007. 

Currently for April 2009 CPU patches, RUP5 or RUP6 is required.  Due to timing, most likely for July 2009 CPU patches, RUP5 or RUP6 will be required.  For planning purposes, it should be assumed that for October 2009 CPU patches, only RUP6 and RUP7 will be supported.

Also, since April 2009 and for all future CPUs, the only 11i CPU supported database versions are 9.2.0.8, 10.1.0.5, 10.2.0.4, and 11.1.0.7. 2009-06-16T10:30:03-05:00 2009-06-16T10:30:42-05:00 Stephen Kost Oracle E-Business Suite Oracle Critical Patch Update COLLABORATE 09 Integrigy Presentations http://www.integrigy.com/oracle-security-blog/archive/2009/05/07/collaborate09-presentations The COLLABORATE 09 conference has completed and from all accounts was a success.  For those of you not familiar with COLLABORATE, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  This year's conference had over 1,000 technical sessions covering virtually every Oracle product.  Integrigy delivered 3 security related presentations and I have upload the presentations to our Security Resources section under Whitepapers and Presentations.  Here are the links -

Oracle Applications Users Group (OAUG)

Oracle Critical Patch Updates Unwrapped


Independent Oracle Users Group (IOUG)


Oracle Critical Patch Updates: Insight and Understanding

Real World Database Auditing

 2009-05-07T14:16:25-05:00 2009-05-07T14:17:19-05:00 Stephen Kost COLLABORATE Oracle E-Business Suite Oracle Database Integrigy at COLLABORATE 09 http://www.integrigy.com/oracle-security-blog/archive/2009/04/29/collaborate09 For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  COLLABORATE 09 is next week, Sunday, May 3 through Thursday, May 7 in Orlando.  This year there will be over 1,000 technical sessions covering virtually every Oracle product. 

Integrigy's CTO, Stephen Kost, will be presenting three technical sessions:

Oracle Applications Users Group (OAUG)


Oracle Critical Patch Updates Unwrapped
Session #1936
Wednesday, May 6, 2009
9:45am - 10:45am

Independent Oracle Users Group (IOUG)


Oracle Critical Patch Updates: Insight and Understanding
Session #359
Wednesday, May 6, 2008
8:30am - 9:30am

Real World Database Auditing
Session #602
Tuesday, May 5, 2009
11:00 AM - 12:00 PM

See you in Orlando! 2009-04-29T19:56:39-05:00 2009-05-07T14:13:04-05:00 Stephen Kost COLLABORATE Oracle Critical Patch Update - April 2009 - E-Business Suite Impact http://www.integrigy.com/oracle-security-blog/archive/2009/04/17/oracle-cpu-april-2009 Oracle released the eighteenth Critical Patch Update (CPU) on Tuesday, April 14, 2009 (CPU April 2009/CPUApr09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 43 vulnerabilities fixed impact the Oracle E-Business Suite.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Again this quarter there are a number of database vulnerabilities that can be exploited by lowly privileged database accounts, including the APPLSYSPUB account.  Also, there are 2 denial of service vulnerabilities - one in the database listener and the other in the RAC Cluster Ready Services.

For the Application Server, no action is required for Oracle E-Business Suite 11i.  For R12, there is a serious vulnerability in OPMN which is installed and used and multiple issues in BI Publisher (formerly XML Publisher).

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.07 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - April 2009 - E-Business Suite Impact 2009-04-17T15:03:06-05:00 2009-04-17T15:03:06-05:00 Stephen Kost Oracle E-Business Suite Oracle Critical Patch Update