• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• Overall, 38 Oracle security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  
• The Oracle product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
  
• Application Server = 10.1.2.3.0
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU is 4 of 6 Oracle Database security vulnerabilities are remotely exploitable without authentication.  It is rare to have a single remotely exploitable without authentication vulnerability in the database.  Most likely these 4 vulnerabilities are in the Listener, Net Foundation Layer, Network Layer, and/or APEX Application Builder.  If the remotely exploitable vulnerabilities are in the Listener component, then this could only be a denial of service vulnerabilities.
• There are no major version support changes in for this CPU.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2010 CPU E-Business Suite Impact Webinar Thursday, July 22, 2pm ET and (2) Oracle July 2010 CPU Oracle Database Impact Webinar Thursday, July 29, 2pm ET.

• There are 6 database vulnerabilities and four are remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 7.8 (practical maximum for a database vulnerability), this is a fairly important CPU.  Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
  

• There are seven new Oracle Application Server vulnerabilities, five of which are remotely exploitable without authentication.  For Oracle Application Server implementations, there is only one vulnerability in the Application Server Control.  Usually, vulnerabilities in the control utilities are only locally exploitable and require a local operating system account to exploit.

• There are 7 new Oracle E-Business Suite 11i and R12 vulnerabilities, five of which are remotely exploitable without authentication.
• The vulnerabilities are in the Oracle Advanced Product Catalog, Oracle Applications Framework (OAF), Oracle Applications Manager, and Oracle Knowledge Management.  Of most interest will be the vulnerabilities in the Oracle Applications Framework (OAF) and these might exploitable in externally accessible web pages.

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in the Oracle Applications Framework to determine if these pages are blocked by the URL firewall.  If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.

• a review of the security vulnerabilities fixed in the CPU,
• an analysis of the required CPU patches,
• a discussion of a high-level patch strategy.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• Overall, 24 security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU are 2 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database.  Most likely these 2 vulnerabilities are in the Listener, APEX Application Builder, and/or Secure Backup.  If the remotely exploitable vulnerabilities are in the Listener component, then this could be a significant and high priority CPU.
• There are no major version support changes in for this CPU.
  

• There are 10 database vulnerabilities and two are remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 10.0, this is a strong indication there a buffer overflow in the Listener component that is remotely exploitable without authentication.  Most likely, the CVSS metric for Windows will be 10.0 and will be 7.5 for Unix/Linux (even though you will be able to fully compromise the database).

• There are three new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.  The affected components are Access Manager Identify Server and Oracle Containers for J2EE.  With maximum CVSS 2.0 metric of 5.0, these could be cross-site scripting (XSS) vulnerabilities based on the scores and components.
  

• There are 3 new Oracle E-Business Suite 11i and R12 vulnerabilities, all of which are remotely exploitable without authentication.
• The vulnerabilities are in the CRM Technical Foundation (mobile), AOL, and HRMS.  Of most interest will be if the AOL vulnerability is in an externally accessible web page.
  

• The criticality of this quarter's CPU is in-line with previous CPUs. 
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

The new minimum supported baseline will be Release 12.0.3; that is, Oracle E-Business Suite Critical Patch Updates will only be available for customers on Release 12.0.3 or higher.

Oracle Applications Technology (ATG) Minimum Supported Baseline:

Beginning with the July 2007 Critical Patch Update (CPUJul2007), Oracle Applications Technology only supports the current and previous production rollups (RUPn and RUPn-1) as patching baselines for all 11i releases.

• Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU.  Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
  
• There are no major version support changes in for this CPU.
  

• There are 10 database vulnerabilities and three are remotely exploitable without authentication.  As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
• The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components.  One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
• Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).

• There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools.  The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk.  For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later.  Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.
  

• There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
• Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
• This is the first CPU with a patch for 12.1.

• The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs. 
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

• Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, and 12.0.x
• The highlight of this CPU are 9 remotely exploitable without authentication vulnerabilities in Oracle Secure Backup.  All customers running Oracle Secure Backup will need to carefully evaluate the impact of these vulnerabilities.
• There are no major version support changes in for this CPU.  It is important to note that this will be the last CPU for database versions 10.2.0.2 and 10.2.0.3.
  

• There are 10 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs.  Usually, the vast majority of database vulnerabilities require authentication.  However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
  
• The vulnerability of most interest is in the "Job Queue" component as there have been no previous vulnerabilities in this component.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 5.5, which for database vulnerabilities should be considered medium to high risk for a database vulnerability.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• There are 2 vulnerabilities in SQL*Plus Windows GUI (sqlplusw) client-side installation.  Previously, these type of client-side have been buffer overflows in passed parameters or environmental variables.
  

• There are 4 new Oracle Application Server vulnerabilities, 2 of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in OC4J, Oracle BPEL Process Manager, Oracle JDeveloper, and Oracle Portal.
  

• There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication.  It may be possible to exploit the one Oracle Applications Framework using any application account or generic accounts through modules such as iStore or iRecruitment.
  

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

1. Oracle provided a mapping to previously released vulnerabilities only for those vulnerabilities in core components like Apache and OpenSSL.  No mapping was provided for previously publicly disclosed vulnerabilities, so there are cases when the same vulnerability has two CVE identifiers.
   
2. A single CVE identifier was usually assigned to multiple vulnerabilities in an almost arbitrary fashion.  This meant that a CVE identifier might include vulnerabilities from multiple components and in the case of the Oracle E-Business Suite across multiple patches.  For Integrigy, this caused problems with our vulnerability scanning tool, AppSentry, since our reports have to handle many-to-many mappings when dealing with CVEs, patches, and vulnerabilities.
   
3. The CVE numbers were usually assigned 1-2 days after the Oracle release.

• Overall, 45 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
  
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, and 12.0.x
• The major CPU version support changes for July 2008 are -
  
• Database version 10.2.0.4 is included in the list of affected versions
  
• Oracle E-Business Suite 11i version 11.5.9 is no longer supported for CPUs
  

• There are 11 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs.  Usually, the vast majority of database vulnerabilities require authentication.  However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
  
• The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• The 2 Oracle 11g vulnerabilities discovered by Integrigy are low risk and are not be directly exploitable, but may allow authentication security mis-configurations to go undetected.

• There are 9 new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in Hyperion BI Plus, Oracle HTTP Server, Oracle Internet Directory, and Oracle Portal.
  
• The Oracle HTTP Server vulnerabilities may be related to recent Apache HTTP Server and OpenSSL fixes.
• The Oracle Portal vulnerability may be related to CVE-2008-2138, which is an access restriction bypass issue in the WebDav component of Oracle Portal.

• There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication.  However, since iStore allows for customer self-registration, most likely the iStore vulnerability (or vulnerabilities) can be readily exploited by an unprivileged user.
• For the Oracle E-Business Suite 11i, only 11.5.10.x is now supported for CPUs and requires ATG_PF.H RUP 5 or RUP 6 be installed.
• The 2 Oracle E-Business Suite 11i/R12 vulnerabilities discovered by Integrigy are low risk and are in the Oracle Application Object Library (AOL/FND).

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the April 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

Oracle Applications Users Group (OAUG)

Independent Oracle Users Group (IOUG)

• Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• This is the first CPU that includes fixes for Siebel.
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
• The major CPU version support changes for April 2008 are -
  
• Database version 10.2.0.2 is only supported for Solaris x86 and VMS
• Oracle E-Business Suite 11i will require ATG RUP5 or RUP6
• Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the January 2008 CPU note (Metalink Note ID 466757.1), patches for database version 10.1.0.5 on several platforms will be available only upon request for the April 2008 CPU.  For the Oracle Application Server, many platforms have "On Request" patches across all versions, especially 9.0.4.3.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
  
  

• There are 17 database vulnerabilities and two are remotely exploitable without authentication.  Since APEX, Net Services, Authentication, and UltraSearch are included as affected components, it will be very interesting to see where the remotely exploitable vulnerabilities lie.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.6, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• According to the January 2008 CPU notes, there is very limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the April 2008 CPU: Solaris X86 and VMS.

• There are 3 new Oracle Applications vulnerabilities, all of which are remotely exploitable without authentication.  Two impact the Oracle Application server components Oracle Dynamic Monitoring Service and Oracle Portal.  The third vulnerability is in Oracle Jinitiator, which is a client installed product.
  

• 7 of the 11 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework and AOL, so all implementations should consider most of these patches as important.
  

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.