Oracle Security Blog

11i ATG RUP7 and Critical Patch Updates Impact

Stephen Kost — Tue, 16 Jun 2009 10:30:03 -0500

Oracle has hinted at the upcoming release of Oracle E-Business Suite 11i.ATG_PF.H.delta.7 (or commonly referred to as RUP7) and will be most likely available in the next several months as it is currently under going internal testing. Oracle Critical Patch Update patches for Oracle E-Business Suite 11i have the latest ATG RUP patches as a prerequisite - the official prerequisite is RUP N or RUP N-1 is required. The last RUP was ATG RUP6 (5903765) released in October 2007.

Currently for April 2009 CPU patches, RUP5 or RUP6 is required. Due to timing, most likely for July 2009 CPU patches, RUP5 or RUP6 will be required. For planning purposes, it should be assumed that for October 2009 CPU patches, only RUP6 and RUP7 will be supported.

Also, since April 2009 and for all future CPUs, the only 11i CPU supported database versions are 9.2.0.8, 10.1.0.5, 10.2.0.4, and 11.1.0.7.

COLLABORATE 09 Integrigy Presentations

Stephen Kost — Thu, 07 May 2009 14:16:25 -0500

The COLLABORATE 09 conference has completed and from all accounts was a success. For those of you not familiar with COLLABORATE, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. This year's conference had over 1,000 technical sessions covering virtually every Oracle product. Integrigy delivered 3 security related presentations and I have upload the presentations to our Security Resources section under Whitepapers and Presentations. Here are the links -

Oracle Applications Users Group (OAUG)

Oracle Critical Patch Updates Unwrapped

Independent Oracle Users Group (IOUG)

Oracle Critical Patch Updates: Insight and Understanding

Real World Database Auditing

Integrigy at COLLABORATE 09

Stephen Kost — Wed, 29 Apr 2009 19:56:39 -0500

For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. COLLABORATE 09 is next week, Sunday, May 3 through Thursday, May 7 in Orlando. This year there will be over 1,000 technical sessions covering virtually every Oracle product.

Integrigy's CTO, Stephen Kost, will be presenting three technical sessions:

Oracle Applications Users Group (OAUG)

Oracle Critical Patch Updates Unwrapped
Session #1936
Wednesday, May 6, 2009
9:45am - 10:45am

Independent Oracle Users Group (IOUG)

Oracle Critical Patch Updates: Insight and Understanding
Session #359
Wednesday, May 6, 2008
8:30am - 9:30am

Real World Database Auditing
Session #602
Tuesday, May 5, 2009
11:00 AM - 12:00 PM

See you in Orlando!

Oracle Critical Patch Update - April 2009 - E-Business Suite Impact

Stephen Kost — Fri, 17 Apr 2009 15:03:06 -0500

Oracle released the eighteenth Critical Patch Update (CPU) on Tuesday, April 14, 2009 (CPU April 2009/CPUApr09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 43 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Again this quarter there are a number of database vulnerabilities that can be exploited by lowly privileged database accounts, including the APPLSYSPUB account. Also, there are 2 denial of service vulnerabilities - one in the database listener and the other in the RAC Cluster Ready Services.

For the Application Server, no action is required for Oracle E-Business Suite 11i. For R12, there is a serious vulnerability in OPMN which is installed and used and multiple issues in BI Publisher (formerly XML Publisher).

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.07 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - April 2009 - E-Business Suite Impact

Oracle Critical Patch Update - January 2009 - E-Business Suite Impact

Stephen Kost — Thu, 15 Jan 2009 15:09:27 -0600

Oracle released the seventeenth Critical Patch Update (CPU) on Tuesday, January 13, 2009 (CPU January 2009/CPUJan09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 10 of the 41 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

This quarter does have a higher than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority.

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - April 2008 - E-Business Suite Impact

Oracle Critical Patch Update - April 2008 - Version Support Matrix

.

Oracle Critical Patch Update January 2009 Pre-Release Analysis

Stephen Kost — Thu, 08 Jan 2009 16:37:02 -0600

Here is a brief analysis of the pre-release announcement for the upcoming January 2009 Oracle Critical Patch Update (CPU) -

Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
Application Server = 9.0.4.3, 10.1.2, and 10.1.3
E-Business Suite = 11.5.10.x, and 12.0.x

The highlight of this CPU are 9 remotely exploitable without authentication vulnerabilities in Oracle Secure Backup. All customers running Oracle Secure Backup will need to carefully evaluate the impact of these vulnerabilities.
There are no major version support changes in for this CPU. It is important to note that this will be the last CPU for database versions 10.2.0.2 and 10.2.0.3.

Oracle Database

There are 10 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs. Usually, the vast majority of database vulnerabilities require authentication. However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
The vulnerability of most interest is in the "Job Queue" component as there have been no previous vulnerabilities in this component.
At least one of the database security vulnerabilities has a CVSS 2.0 metric of 5.5, which for database vulnerabilities should be considered medium to high risk for a database vulnerability. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
There are 2 vulnerabilities in SQL*Plus Windows GUI (sqlplusw) client-side installation. Previously, these type of client-side have been buffer overflows in passed parameters or environmental variables.

Oracle Application Server

There are 4 new Oracle Application Server vulnerabilities, 2 of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in OC4J, Oracle BPEL Process Manager, Oracle JDeveloper, and Oracle Portal.

Oracle E-Business Suite 11i and R12

There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication. It may be possible to exploit the one Oracle Applications Framework using any application account or generic accounts through modules such as iStore or iRecruitment.

Planning Impact

As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Oracle Critical Patch Update April 2007 New Vulnerability Information

Stephen Kost — Tue, 16 Dec 2008 17:04:40 -0600

New information has been released for an Oracle E-Business Suite 11i security vulnerability fixed as part of the April 2007 Critical Patch Update. The vulnerability was discovered by Joxean Koret and the TippingPoint Zero Day Initiative released the advisory. For those of you not familiar with the Zero Day Initiative, it is a security vendor sponsored program that pays for security vulnerability information.

Unfortunately, the Zero Day Initiative advisory ZDI-08-088 contains minimal information regarding the vulnerability and several inaccuracies. Oracle fixed this vulnerability as part of the April 2007 Critical Patch Update and subsequently in ATG_PF.H RUP5 and later. The vulnerability is a serious SQL injection bug in a Self-Service Web Application database package that is called and accessible through mod_plsql. Mod_plsql is an Apache module and part of an Oracle web framework which allows database packages to dynamically generate web pages. The vulnerable schema.package.procedure name is APPS.ICXSUPWF.DISPLAYCONTACTS and all versions 115.6 and prior are vulnerable. When creating intrusion detection/prevention rules for this vulnerability, the URL will only include the package/procedure name ICXSUPWF.DISPLAYCONTACTS and mod_plsql URLs are case-insensitive. This URL is normally blocked by the Oracle E-Business Suite 11i URL Firewall and should not be externally accessible.

Vulnerability "anthropologists" may be interested in the fact that this vulnerability has existed since at least September 1999 and likely was introduced several years earlier with the release of Oracle Applications 11.0.

Original Oracle Advisory:
Oracle Critical Patch Update April 2007 – APPS01

CVE Name:
CVE-2007-2126

Affected Product and Versions:
Oracle E-Business Suite 11.5.1 through 11.5.10.2

Affected Oracle E-Business Suite Modules:
Application Object Library (FND)/Self-Service Web Applications (ICX)

Patches:
11.5.1 - 11.5.6 – No patches are available for unsupported versions of the Oracle E-Business Suite
11.5.7 – 11.5.10.2 with ATG_PF.H RUP4 or prior – 5893391
11.5.9 – 11.5.10.2 with ATG_PF.H RUP5 or higher – No patch required as this fix was included in RUP5 and higher

References:
Integrigy Oracle Critical Patch Update April 2007 E-Business Suite Impact
Zero Day Initiative ZDI ZDI-08-088
Oracle Critical Patch Update April 2007 Advisory

Oracle E-Business Suite 12.0.6 - Security Enhancements

Stephen Kost — Fri, 07 Nov 2008 22:48:10 -0600

The Oracle E-Business Suite R12 Release Update Pack (RUP6 or 12.0.6) was released on November 7, 2008. This is the latest cumulative update patch for all product families including Applications Technology (ATG). The patch is 2GB in size and can be applied on top of any R12 version. The only prerequisite step is to apply R12.AD.A.DELTA.6 (7305220). See Metalink Note ID 743368.1 for more information.

From a security perspective, there are security related changes and enhancements included in the 12.0.6 RUP patch.

Cumulative Oracle Critical Patch Updates for Oracle E-Business Suite R12

12.0.6 is cumulative and includes Critical Patch Update (CPU) October 2008 and all previous CPU patches for R12. Although, most organizations should look to apply the CPU patches using the standalone CPU patch rather with 12.0.6 as the RUP patch will take much longer to functionally test.

Record History for OA Framework Pages

Just as with the Forms, OA Framework pages now can display information on who and when a record was created or last updated. It is important to note that as with the Forms, this information is only create and last update and no history of changes between the create and last update is saved. The new profile option "FND: Record History Enabled" controls access to this feature.

AutoConfig Support for 11g Access Control Lists Support

For customers running R12 with 11g, AutoConfig has been enhanced to support the new fine-grained access control for the UTL_TCP, UTL_SMTP, UTL_MAIL, UTL_HTTP, or UTL_INADDR packages. This will eliminate access to these packages from accounts such as APPLSYSPUB.

Oracle E-Business Suite Diagnostics Role Based Access Control (RBAC)

The Diagnostics features has been rewritten to fully utilize RBAC. This will allow for the diagnostics security to be much more granular. A secondary change is that test sensitivity level can be set at the test-level instead of the group-level. These changes are most useful for customers that allow end-users and super-users access to the Diagnostic tests. After applying 12.0.6, the functionality and security of Diagnistics should be reviewed to determine if the level of access to the tests is appropriate and the new roles "Diagnostics Super User", "Application Super User", and "Application End User" are assigned appropriately.

Urgent Oracle [BEA] WebLogic Security Patch (CVE-2008-3257)

Stephen Kost — Mon, 28 Jul 2008 16:12:39 -0500

Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server). The CVE ID is CVE-2008-3257. The CVSS 2.0 score for this vulnerability is 10 out of 10. To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.

The major risk associated with this vulnerability is that there are multiple published expliots, which allow for an attacker to compromise the integrity of the web server.

Oracle Security Advisories and CVE Identifiers

Stephen Kost — Wed, 16 Jul 2008 09:54:33 -0500

In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.). Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories. The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier. The format of the CVE identifier is (1) a fixed "CVE" to indicate it is a CVE identifier, (2) the year (i.e., 2008), and (3) a sequential number of when the entry was added to CVE (i.e., 2607). As an example, the first database vulnerability is CVE-2008-2607.

The previous Oracle proprietary numbering scheme had several issues in relationship to CVE numbering -

Oracle provided a mapping to previously released vulnerabilities only for those vulnerabilities in core components like Apache and OpenSSL. No mapping was provided for previously publicly disclosed vulnerabilities, so there are cases when the same vulnerability has two CVE identifiers.
A single CVE identifier was usually assigned to multiple vulnerabilities in an almost arbitrary fashion. This meant that a CVE identifier might include vulnerabilities from multiple components and in the case of the Oracle E-Business Suite across multiple patches. For Integrigy, this caused problems with our vulnerability scanning tool, AppSentry, since our reports have to handle many-to-many mappings when dealing with CVEs, patches, and vulnerabilities.
The CVE numbers were usually assigned 1-2 days after the Oracle release.

The CVE identifiers in the Oracle advisory does use a single CVE identifier per vulnerability and maps directly to previously disclosed vulnerabilities (see CVE-2007-1359). Although it would have been nice if Oracle had included hyperlinks in the advisory to either CVE or NVD for easier access. It will be interesting to see if CVE-2007-1359 is fixed in this CPU as either CVE-2008-2589, CVE-2008-2594, or CVE-2008-2609, which would reduce the effectiveness of using the CVE identifiers and again result in duplication of vulnerabilities in CVE if CVE identifiers for previously disclosed vulnerabilities are not used.

Using the CVE Identifiers

Additional information on vulnerabilities can be found either in the CVE or the National Vulnerability Database (NVD) sponsored by the Department of Homeland Security. NVD contains the most detailed information including a break-down of the CVSS2 score and links to external references that may have more information on the vulnerability. The typical process is that a generic NVD is created with only a reference to the original Oracle advisory. When there is public disclosure with additional details on the vulnerability, the NVD entry is updated with links to those disclosures. This process should be much more timely and accurate as most public disclosures will now include the CVE identifier. Usually, about 30% of the vulnerabilities per quarter will have additional information and the database vulnerabilities typically have more information than the other products.

An example of a fully populated entry is the ModSecurity vulnerability that was previously fixed in ModSecurity 2.1.1 -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1359

An example of an entry with additional details is the buffer overflow in the Oracle AQ package SYS.DBMS_AQELM -

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2607

Oracle Critical Patch Update July 2008 Pre-Release Analysis

Stephen Kost — Fri, 11 Jul 2008 12:05:28 -0500

Here is a brief analysis of the pre-release announcement for the upcoming July 2008 Oracle Critical Patch Update (CPU) -

Overall, 45 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
This is the first CPU that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
Application Server = 9.0.4.3, 10.1.2, and 10.1.3
E-Business Suite = 11.5.10.x, and 12.0.x

The major CPU version support changes for July 2008 are -

Database version 10.2.0.4 is included in the list of affected versions
Oracle E-Business Suite 11i version 11.5.9 is no longer supported for CPUs

Oracle Database

There are 11 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs. Usually, the vast majority of database vulnerabilities require authentication. However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting.
At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
The 2 Oracle 11g vulnerabilities discovered by Integrigy are low risk and are not be directly exploitable, but may allow authentication security mis-configurations to go undetected.

Oracle Application Server

There are 9 new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in Hyperion BI Plus, Oracle HTTP Server, Oracle Internet Directory, and Oracle Portal.
The Oracle HTTP Server vulnerabilities may be related to recent Apache HTTP Server and OpenSSL fixes.
The Oracle Portal vulnerability may be related to CVE-2008-2138, which is an access restriction bypass issue in the WebDav component of Oracle Portal.

Oracle E-Business Suite 11i and R12

There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication. However, since iStore allows for customer self-registration, most likely the iStore vulnerability (or vulnerabilities) can be readily exploited by an unprivileged user.
For the Oracle E-Business Suite 11i, only 11.5.10.x is now supported for CPUs and requires ATG_PF.H RUP 5 or RUP 6 be installed.
The 2 Oracle E-Business Suite 11i/R12 vulnerabilities discovered by Integrigy are low risk and are in the Oracle Application Object Library (AOL/FND).

Planning Impact

As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Correction: This post has been edited to update the supported Oracle E-Business Suite 11i versions. The original Oracle pre-release and Rev1 of the advisory incorrectly stated only 11.5.10.2 was supported - 11.5.10 and 11.5.10.1 are still supported.

OAUG eLearning: Oracle Critical Patch Update April 2008

Stephen Kost — Wed, 30 Apr 2008 07:04:26 -0500

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th. In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday. The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the April 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

Oracle Critical Patch Update - April 2008 - E-Business Suite Impact

Stephen Kost — Wed, 23 Apr 2008 16:42:58 -0500

Oracle released the fourteenth Critical Patch Update (CPU) last week. This quarter is the same as the previous thirteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 41vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Integrigy discovered 8 of the 11 Oracle E-Business Suite vulnerabilities, which were reported to Oracle in November 2007.

This quarter does have a higher than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority.

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for the database and ATG_PF.H RUP5, or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - April 2008 - E-Business Suite Impact

Oracle Critical Patch Update - April 2008 - Version Support Matrix

I will be presenting an OAUG eLearning Community Thursdays session on Thursday, May 1 giving additional information on the CPU and its impact on your Oracle Applications implementation. OAUG members can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

Integrigy COLLABORATE 08 Presentations On-line

Stephen Kost — Fri, 18 Apr 2008 13:40:38 -0500

The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations. The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.

I presented 3 sessions between IOUG and OAUG, which were all well attended with over 150 people per session. I guess security is really starting to become ingrained at many organizations. I was somewhat surprised at the number of organizations relatively current with CPU patches based on the informal and highly unscientific "show of hands" surveys.

The PowerPoint presentations from my 3 sessions can be downloaded here -

Oracle Applications Users Group (OAUG)

Oracle E-Business Suite Critical Patch Updates: Insight and Understanding

Independent Oracle Users Group (IOUG)

Oracle Database Critical Patch Updates: Unwrapped

Real-life Database Security Mistakes

Critical Patch Update April 2008 Pre-Release Analysis

Stephen Kost — Mon, 14 Apr 2008 12:46:40 -0500

Here is a brief analysis of the pre-release announcement for the upcoming April 2008 Oracle Critical Patch Update (CPU) -

Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
This is the first CPU that includes fixes for Siebel.
The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for major platforms
Application Server = 9.0.4.3, 10.1.2, and 10.1.3
E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x

The major CPU version support changes for April 2008 are -

Database version 10.2.0.2 is only supported for Solaris x86 and VMS
Oracle E-Business Suite 11i will require ATG RUP5 or RUP6

Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request. According to the January 2008 CPU note (Metalink Note ID 466757.1), patches for database version 10.1.0.5 on several platforms will be available only upon request for the April 2008 CPU. For the Oracle Application Server, many platforms have "On Request" patches across all versions, especially 9.0.4.3. The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database

There are 17 database vulnerabilities and two are remotely exploitable without authentication. Since APEX, Net Services, Authentication, and UltraSearch are included as affected components, it will be very interesting to see where the remotely exploitable vulnerabilities lie.
At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.6, which for database vulnerabilities should be considered high risk. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
According to the January 2008 CPU notes, there is very limited platform support for 10.2.0.2. Only the following platforms are supported for 10.2.0.2 by the April 2008 CPU: Solaris X86 and VMS.

Oracle Application Server

There are 3 new Oracle Applications vulnerabilities, all of which are remotely exploitable without authentication. Two impact the Oracle Application server components Oracle Dynamic Monitoring Service and Oracle Portal. The third vulnerability is in Oracle Jinitiator, which is a client installed product.

Oracle E-Business Suite 11i and R12

7 of the 11 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication. Most of the vulnerabilities are in core components like OA Framework and AOL, so all implementations should consider most of these patches as important.

Planning Impact

As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.