Oracle Critical Patch Update April 2011 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming April 2011 Oracle Critical Patch Update (CPU) -
- Overall, 47 Oracle security vulnerabilities (non-Solaris bugs) are fixed in this CPU, which is an average number and well within the range of previous CPUs (Jan-11=43, Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
The Oracle product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 220.127.116.11, 18.104.22.168, 22.214.171.124 for major platforms
- Application Server = 10.1.2.3.0, 10.1.3.5.0, 126.96.36.199.0, 188.8.131.52.0, and 184.108.40.206.0
- E-Business Suite = 220.127.116.11, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
- As anticipated by Integrigy, this is the first CPU available for Oracle Database 18.104.22.168.
- For the Oracle E-Business, as of the April 2011 there is no CPU support for all versions prior to 22.214.171.124 and 12.0.0 - 12.0.5. 126.96.36.199 requires the "Minimum Baseline for Extended Support" as specified in Metalink Note ID 883202.1.
- The highlight of this CPU is 6 of 9 Oracle Application Server/Fusion Middleware security vulnerabilities are remotely exploitable without authentication with the highest CVSSv2 score being 10.0. The vulnerabilities are in Oracle Help, Oracle HTTP Server, Oracle JRockit, Oracle Outside In Technology, Oracle Security Service, Oracle WebLogic Server, Portal, and Single Sign On components.
- Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle April 2011 CPU E-Business Suite Impact Webinar Thursday, April 28, 2pm ET and (2) Oracle April 2011 CPU Oracle Database Impact Webinar Thursday, May 5, 2pm ET.
- There are 6 database vulnerabilities and 2 are remotely exploitable without authentication.
- Since at least one database vulnerability has a CVSS 2.0 metric of 6.5 (important to high for a database vulnerability), this is a fairly important CPU.
- The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments. It will be interesting to see what the actual vulnerabilities are in these components: Application Service Level Management, Database Vault, Network Foundation, Oracle Help, Oracle Security Service, Oracle Warehouse Builder, and UIX. If the Network Foundation bug is a denial of service and most of the other components are not implemented in an environment, this could be one of the first CPUs to be classified as low risk for some Oracle databases.
Oracle Fusion Middleware
- There are 9 new Oracle Fusion Middleware vulnerabilities, 6 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
- Of critical importance will be the fixes in the Oracle HTTP Server and Oracle Web Logic Server. All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.
Oracle E-Business Suite 11i and R12
- There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities, two of which are remotely exploitable without authentication.
- The vulnerabilities are Oracle Application Object Library (AOL), Applications Install, and Web ADI. It is not clear if the AOL vulnerabilities can be exploited externally in DMZ implementations.
- We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. The only exception may the significant number of Oracle Fusion Middleware remotely exploitable vulnerabilities, especially any in the Oracle HTTP Server. For specific databases based on configuration and installed options, this may be a lower than average risk CPU.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in Application Object Library to determine if these pages are blocked by the URL firewall. If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.
Upcoming Integrigy CPU Webinars
Oracle April 2011 CPU E-Business Suite Impact
Thursday, April 28, 2pm ET
Oracle April 2011 CPU Oracle Database Impact
Thursday, May 5, 2pm ET