Oracle Database
January 08, 2010
Oracle Critical Patch Update January 2010 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming January 2010 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 24 security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU are 2 remotely exploitable without authentication vulnerabilities in the Oracle Database. It is rare to have a single remotely exploitable without authentication vulnerability in the database. Most likely these 2 vulnerabilities are in the Listener, APEX Application Builder, and/or Secure Backup. If the remotely exploitable vulnerabilities are in the Listener component, then this could be a significant and high priority CPU.
- There are no major version support changes in for this CPU.
Oracle Database
- There are 10 database vulnerabilities and two are remotely exploitable without authentication.
- Since at least one database vulnerability has a CVSS 2.0 metric of 10.0, this is a strong indication there a buffer overflow in the Listener component that is remotely exploitable without authentication. Most likely, the CVSS metric for Windows will be 10.0 and will be 7.5 for Unix/Linux (even though you will be able to fully compromise the database).
- There are three new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication. The affected components are Access Manager Identify Server and Oracle Containers for J2EE. With maximum CVSS 2.0 metric of 5.0, these could be cross-site scripting (XSS) vulnerabilities based on the scores and components.
Oracle E-Business Suite 11i and R12
- There are 3 new Oracle E-Business Suite 11i and R12 vulnerabilities, all of which are remotely exploitable without authentication.
- The vulnerabilities are in the CRM Technical Foundation (mobile), AOL, and HRMS. Of most interest will be if the AOL vulnerability is in an externally accessible web page.
Planning Impact
- The criticality of this quarter's CPU is in-line with previous CPUs.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
July 15, 2009
Oracle Critical Patch Update (CPU) - July 2009 - E-Business Suite Impact
Oracle released the nineteenth Critical Patch Update (CPU) on Tuesday, July 14, 2009 (CPU July 2009/CPUJul09). This quarter is the same as the previous eighteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 12 of the 30 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963). One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.
For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication. These customers should carefully review these vulnerabilities and patch as soon as possible.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - July 2009 - E-Business Suite Impact
The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963). One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.
For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication. These customers should carefully review these vulnerabilities and patch as soon as possible.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -
Oracle Oracle Critical Patch Update - July 2009 - E-Business Suite Impact
July 13, 2009
Oracle Critical Patch Update July 2009 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2009 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database. It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU. Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
- There are no major version support changes in for this CPU.
Oracle Database
- There are 10 database vulnerabilities and three are remotely exploitable without authentication. As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
- The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components. One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
- Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).
- There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools. The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk. For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later. Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.
Oracle E-Business Suite 11i and R12
- There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
- Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
- This is the first CPU with a patch for 12.1.
Planning Impact
- The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
May 07, 2009
COLLABORATE 09 Integrigy Presentations
The COLLABORATE 09 conference has completed and from all accounts was a success. For those of you not familiar with COLLABORATE, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. This year's conference had over 1,000 technical sessions covering virtually every Oracle product. Integrigy delivered 3 security related presentations and I have upload the presentations to our Security Resources section under Whitepapers and Presentations. Here are the links -
Oracle Critical Patch Updates: Insight and Understanding
Real World Database Auditing
Oracle Applications Users Group (OAUG)
Oracle Critical Patch Updates UnwrappedIndependent Oracle Users Group (IOUG)
Oracle Critical Patch Updates: Insight and Understanding
Real World Database Auditing
Categories:
January 08, 2009
Oracle Critical Patch Update January 2009 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming January 2009 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
- Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, and 12.0.x
- The highlight of this CPU are 9 remotely exploitable without authentication vulnerabilities in Oracle Secure Backup. All customers running Oracle Secure Backup will need to carefully evaluate the impact of these vulnerabilities.
- There are no major version support changes in for this CPU. It is important to note that this will be the last CPU for database versions 10.2.0.2 and 10.2.0.3.
Oracle Database
- There are 10 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs. Usually, the vast majority of database vulnerabilities require authentication. However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
- The vulnerability of most interest is in the "Job Queue" component as there have been no previous vulnerabilities in this component.
- At least one of the database security vulnerabilities has a CVSS 2.0 metric of 5.5, which for database vulnerabilities should be considered medium to high risk for a database vulnerability. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
- There are 2 vulnerabilities in SQL*Plus Windows GUI (sqlplusw) client-side installation. Previously, these type of client-side have been buffer overflows in passed parameters or environmental variables.
Oracle Application Server
- There are 4 new Oracle Application Server vulnerabilities, 2 of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in OC4J, Oracle BPEL Process Manager, Oracle JDeveloper, and Oracle Portal.
Oracle E-Business Suite 11i and R12
- There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication. It may be possible to exploit the one Oracle Applications Framework using any application account or generic accounts through modules such as iStore or iRecruitment.
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
July 11, 2008
Oracle Critical Patch Update July 2008 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2008 Oracle Critical Patch Update (CPU) -
Oracle Database
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
Correction: This post has been edited to update the supported Oracle E-Business Suite 11i versions. The original Oracle pre-release and Rev1 of the advisory incorrectly stated only 11.5.10.2 was supported - 11.5.10 and 11.5.10.1 are still supported.
- Overall, 45 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- This is the first CPU that includes fixes for BEA WebLogic, Hyperion BI, and TimesTen Database.
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, and 12.0.x
- The major CPU version support changes for July 2008 are -
- Database version 10.2.0.4 is included in the list of affected versions
- Oracle E-Business Suite 11i version 11.5.9 is no longer supported for CPUs
Oracle Database
- There are 11 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs. Usually, the vast majority of database vulnerabilities require authentication. However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
- The vulnerabilities of most interest are in the Core RDBMS and Authentication components, but the Database Scheduler vulnerability could be interesting.
- At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
- The 2 Oracle 11g vulnerabilities discovered by Integrigy are low risk and are not be directly exploitable, but may allow authentication security mis-configurations to go undetected.
Oracle Application Server
- There are 9 new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in Hyperion BI Plus, Oracle HTTP Server, Oracle Internet Directory, and Oracle Portal.
- The Oracle HTTP Server vulnerabilities may be related to recent Apache HTTP Server and OpenSSL fixes.
- The Oracle Portal vulnerability may be related to CVE-2008-2138, which is an access restriction bypass issue in the WebDav component of Oracle Portal.
Oracle E-Business Suite 11i and R12
- There are 6 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication. However, since iStore allows for customer self-registration, most likely the iStore vulnerability (or vulnerabilities) can be readily exploited by an unprivileged user.
- For the Oracle E-Business Suite 11i, only 11.5.10.x is now supported for CPUs and requires ATG_PF.H RUP 5 or RUP 6 be installed.
- The 2 Oracle E-Business Suite 11i/R12 vulnerabilities discovered by Integrigy are low risk and are in the Oracle Application Object Library (AOL/FND).
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Correction: This post has been edited to update the supported Oracle E-Business Suite 11i versions. The original Oracle pre-release and Rev1 of the advisory incorrectly stated only 11.5.10.2 was supported - 11.5.10 and 11.5.10.1 are still supported.
April 18, 2008
Integrigy COLLABORATE 08 Presentations On-line
The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations. The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.
I presented 3 sessions between IOUG and OAUG, which were all well attended with over 150 people per session. I guess security is really starting to become ingrained at many organizations. I was somewhat surprised at the number of organizations relatively current with CPU patches based on the informal and highly unscientific "show of hands" surveys.
The PowerPoint presentations from my 3 sessions can be downloaded here -
Oracle E-Business Suite Critical Patch Updates: Insight and Understanding
Oracle Database Critical Patch Updates: Unwrapped
Real-life Database Security Mistakes
I presented 3 sessions between IOUG and OAUG, which were all well attended with over 150 people per session. I guess security is really starting to become ingrained at many organizations. I was somewhat surprised at the number of organizations relatively current with CPU patches based on the informal and highly unscientific "show of hands" surveys.
The PowerPoint presentations from my 3 sessions can be downloaded here -
Oracle Applications Users Group (OAUG)
Oracle E-Business Suite Critical Patch Updates: Insight and Understanding
Independent Oracle Users Group (IOUG)
Oracle Database Critical Patch Updates: Unwrapped
Real-life Database Security Mistakes
April 14, 2008
Critical Patch Update April 2008 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming April 2008 Oracle Critical Patch Update (CPU) -
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
Note: The pre-release announcement is removed when the CPU is released.
- Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- This is the first CPU that includes fixes for Siebel.
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
- The major CPU version support changes for April 2008 are -
- Database version 10.2.0.2 is only supported for Solaris x86 and VMS
- Oracle E-Business Suite 11i will require ATG RUP5 or RUP6
- Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request. According to the January 2008 CPU note (Metalink Note ID 466757.1), patches for database version 10.1.0.5 on several platforms will be available only upon request for the April 2008 CPU. For the Oracle Application Server, many platforms have "On Request" patches across all versions, especially 9.0.4.3. The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
- There are 17 database vulnerabilities and two are remotely exploitable without authentication. Since APEX, Net Services, Authentication, and UltraSearch are included as affected components, it will be very interesting to see where the remotely exploitable vulnerabilities lie.
- At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.6, which for database vulnerabilities should be considered high risk. This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
- According to the January 2008 CPU notes, there is very limited platform support for 10.2.0.2. Only the following platforms are supported for 10.2.0.2 by the April 2008 CPU: Solaris X86 and VMS.
Oracle Application Server
- There are 3 new Oracle Applications vulnerabilities, all of which are remotely exploitable without authentication. Two impact the Oracle Application server components Oracle Dynamic Monitoring Service and Oracle Portal. The third vulnerability is in Oracle Jinitiator, which is a client installed product.
Oracle E-Business Suite 11i and R12
- 7 of the 11 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication. Most of the vulnerabilities are in core components like OA Framework and AOL, so all implementations should consider most of these patches as important.
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Note: The pre-release announcement is removed when the CPU is released.
April 08, 2008
COLLABORATE 08 Presentations
For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. COLLABORATE 08 is next week, Sunday, April 13 through Thursday, April 17 in Denver. This year there will be over 500 technical sessions covering virtually every Oracle product.
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions, participating on a panel, and co-presenting in pre/post conference workshops.
Oracle Critical Patch Updates: Insight and Understanding
Tuesday, April 15, 2008
3:30 PM-4:30 PM
Securing the Oracle E-Business Suite Best Practices Panel
Moderated by Randy Giefer of Solution Beacon
Monday, April 14, 2008
8:00 AM-9:00 AM
120: Oracle Critical Patch Updates Unwrapped
Wednesday, April 16, 2008
1:30 PM - 2:30 PM
383: Real-life Database Security Mistakes
Thursday, April 17, 2008
11:00 AM - 12:00 PM
In conjunction with Jeff Hare of ERP Seminars, Stephen Kost is presenting a 1 hour session on Oracle Applications security at the "Oracle E-Business Suite Internal Controls and Security" pre and post conference workshops. Integrigy is pleased to be collaborating with Jeff Hare on these workshops as he is one of the world's leading experts on Oracle Applications internal controls.
Internal Controls and Security Best Practices in an Oracle Applications Environment
See you in Denver!
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions, participating on a panel, and co-presenting in pre/post conference workshops.
Oracle Applications Users Group (OAUG)
Oracle Critical Patch Updates: Insight and Understanding
Tuesday, April 15, 2008
3:30 PM-4:30 PM
Securing the Oracle E-Business Suite Best Practices Panel
Moderated by Randy Giefer of Solution Beacon
Monday, April 14, 2008
8:00 AM-9:00 AM
Independent Oracle Users Group (IOUG)
120: Oracle Critical Patch Updates Unwrapped
Wednesday, April 16, 2008
1:30 PM - 2:30 PM
383: Real-life Database Security Mistakes
Thursday, April 17, 2008
11:00 AM - 12:00 PM
Pre and Post Conference OAUG Workshops
In conjunction with Jeff Hare of ERP Seminars, Stephen Kost is presenting a 1 hour session on Oracle Applications security at the "Oracle E-Business Suite Internal Controls and Security" pre and post conference workshops. Integrigy is pleased to be collaborating with Jeff Hare on these workshops as he is one of the world's leading experts on Oracle Applications internal controls.
Internal Controls and Security Best Practices in an Oracle Applications Environment
- Sunday, April 13 9:00 a.m. - 5:00 p.m.
- Thursday, April 17 9:00 a.m. - 5:00 p.m.
See you in Denver!
Categories:
Oracle Critical Patch Updates Database Patchset Support
A point of contention and confusion regarding Oracle Critical Patch Update (CPU) database patches is that only a limited set of database patchsets are supported. For the January 2008 CPU, only the patchsets 9.2.0.8, 10.1.0.5, 10.2.0.2, 10.2.0.3, and 11.1.0.6 are supported. Oracle's policy is stated in the CPU Frequently Asked Questions (FAQ) (Metalink Note ID 360470.1) -
The "Database, FMW, and OCS Software Error Correction Support Policy Version 2.1" (Metalink Note ID 209768.1) provides more details on the CPU support policy, since there are a number of exceptions or deviations in the policy based on platforms and extended support. Appendix A gives exact timing for patchset support for the database and Fusion middleware, which is 1 year from the release of the most current patchset. For database versions under Extended Support, CPU patches will be available for the terminal patchset until Extended Support period ends.
Based on Oracle's policy, all organizations as a matter of policy should apply a database patchset at least annually in order to apply CPU patches on a timely basis. Oracle maintains strict adherence to this policy with few exceptions. With the release of 10.2.0.4 in February/March 2008 for Linux and other platforms, CPU support for 10.2.0.3 should be ending March 2009 -- this means no April 2009 CPU for 10.2.0.3. This support timeline can be problematic for some databases as the application may not allow or certify the newest patchset for a number of months, thus cutting this year to a few months in some cases.
(This may be difficult for many organizations to fathom since many have not yet applied April 2007 nor upgraded from 10.2.0.2.)
"As a general rule, Critical Patch Updates (CPUs) are created for the last two patch sets of Server Technologies releases during the period when a release is in Premier Support (under the Lifetime Support Policy) or Error Correction Support (ECS). However, in the case where the latest patch set of a release has been available for more than 1 year, CPUs will be provided only for the most recent patch set for that release. Once a release enters its Extended Support (under the Lifetime Support Policy) or Extended Maintenance Support (EMS) period, CPUs are created only for the last patch set of that release."
Based on Oracle's policy, all organizations as a matter of policy should apply a database patchset at least annually in order to apply CPU patches on a timely basis. Oracle maintains strict adherence to this policy with few exceptions. With the release of 10.2.0.4 in February/March 2008 for Linux and other platforms, CPU support for 10.2.0.3 should be ending March 2009 -- this means no April 2009 CPU for 10.2.0.3. This support timeline can be problematic for some databases as the application may not allow or certify the newest patchset for a number of months, thus cutting this year to a few months in some cases.
(This may be difficult for many organizations to fathom since many have not yet applied April 2007 nor upgraded from 10.2.0.2.)
Categories:
Oracle Critical Patch Updates - Types of Fixes in Database Patches
An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes. The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult to to determine the true impact of a specific CPU patch. By including non-security related fixes in the CPU patch reduces the confidence that the patch will not break something.
With the introduction of the "n-apply" patch structure for 10.2.0.3 in the July 2007 CPU, Oracle's policy changed for 10.2.0.3 and later patchsets in that non-security fixes are no longer included in the CPU patches. From Metalink Note ID 209768.1 Software Error Correction Policy 2.1 -
The disadvantage of this new policy is that some customers will experience a greater number of patch conflicts requiring merge patches. The "n-apply" patch structure does allow for partial patch installation which reduces the overall exposure and fixes most of the security bugs while waiting for Oracle to create a merge patch.
With the introduction of the "n-apply" patch structure for 10.2.0.3 in the July 2007 CPU, Oracle's policy changed for 10.2.0.3 and later patchsets in that non-security fixes are no longer included in the CPU patches. From Metalink Note ID 209768.1 Software Error Correction Policy 2.1 -
Starting with Database patch set 10.2.0.3, CPUs have security fixes and any pre-requisite non-security fixes, but no longer contain non-security fixes introduced to resolve patch conflicts. Even though Oracle intends to include mainly security fixes in CPUs, we may decide to include high-priority non-security fixes. We will always identify them in the CPU documentation.
The disadvantage of this new policy is that some customers will experience a greater number of patch conflicts requiring merge patches. The "n-apply" patch structure does allow for partial patch installation which reduces the overall exposure and fixes most of the security bugs while waiting for Oracle to create a merge patch.
Categories:
October 12, 2007
Critical Patch Update October 2007 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming October 2007 Oracle Critical Patch Update (CPU) -
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
Note: The pre-release announcement is removed when the CPU is released.
- Overall, 51 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix is similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. There are no new vulnerabilities in Oracle Collaboration Suite. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.8, 11.5.9, 11.5.10.x, and 12.0.x
- Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request. Fortunately according to the July 2007 CPU note (Metalink Note ID 432873.1), all supported platform/version combinations will have patches proactively released for the October 2007 CPU. The database note for the October 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
- This is the first CPU using version 2.0 of the CVSS metric. CVSS 2.0 scores seem to be more consistent, but still grossly understate the severity of many database and application vulnerabilities. Even a vulnerability may allow a complete compromise of the database, the score is less than 7.
- There are 5 remotely exploitable without authentication vulnerabilities, which are not typical of previous database vulnerabilities. Most previous database vulnerabilities require database authentication to exploit. Depending on the exact nature of the 5 remotely exploitable without authentication vulnerabilities, this quarter's CPU could prove to be the most critical in the past 2 years.
- At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.
- The major version support change for this quarter is that 9.2.0.7 is no longer supported.
Oracle Application Server
- 7 of the 11 vulnerabilities are remotely exploitable without authentication. A number of these vulnerabilities are probably related to recently fixed Apache which is the base of the Oracle HTTP Server. Organizations with Internet facing Application Server deployments will most likely want to prioritize this quarter's CPU patches as Oracle HTTP Server, Oracle Single Sign-on, and Oracle Portal are all affected.
- There are no major changes to the support Oracle Application Server versions for this quarter.
Oracle E-Business Suite 11i and R12
- Only 1 of the 8 vulnerabilities in the Oracle E-Business Suite is remotely exploitable without authentication.
- All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.3). This will be the last CPU for 11.5.8.
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Note: The pre-release announcement is removed when the CPU is released.
May 29, 2007
Is the Oracle Database Indefensible?
Network security expert Richard Bejtlich recently posted some interesting comments regarding Oracle Security on his blog TaoSecurity.
I think his observation at a macro level is generally correct. Oracle seems to have arrived at the "secure coding" party late and has a significant C code base, some of which dates all the way back to around 1982. Many of the standard PL/SQL packages and associated C libraries were originally written in the early 1990's. A fun excursion is to look at the modification history of the $ORACLE_HOME/rdbms/admin SQL scripts -- you will see many of these scripts were created 10 to 20 years ago. Remember that the terms "buffer overflow" and "SQL injection" didn't really enter the lexicon until 1996 and 2000, respectively.
To judge Oracle on secure coding, you really need to look at the number of vulnerabilities affecting only recent versions of the database and application server. So far, the results are mixed, but encouraging. Although, more time has to elapse to see what security bugs are in the queue.
Mary Ann Davidson, Oracle CSO, frequently talks about secure coding and how vendors should be more public about their development practices. I would really like to know what Oracle is doing about the large database code base where over 150 security bugs have been fixed to date. Oracle has purchased Fortify as a source code scanning tool, but is there a team of 20 or 100 people dedicated to reviewing every line of code. Many of the security bugs being found today could have been found internally 3 or 4 years ago.
"Speaking of database security, I got a chance to see Alexander Kornbrust of Red-Database-Security GmbH talk about Oracle (in)security at CONFidence 2007. His talk reminded me of comments Thomas Ptacek once made about certain software being indefensible ten years ago, whereas now we have a fighting chance with some software. After hearing Alex's talk I think Oracle belongs in the indefensible category. Oracle appears to be at least five years behind their peer group in terms of producing "secure" code."
I think his observation at a macro level is generally correct. Oracle seems to have arrived at the "secure coding" party late and has a significant C code base, some of which dates all the way back to around 1982. Many of the standard PL/SQL packages and associated C libraries were originally written in the early 1990's. A fun excursion is to look at the modification history of the $ORACLE_HOME/rdbms/admin SQL scripts -- you will see many of these scripts were created 10 to 20 years ago. Remember that the terms "buffer overflow" and "SQL injection" didn't really enter the lexicon until 1996 and 2000, respectively.
To judge Oracle on secure coding, you really need to look at the number of vulnerabilities affecting only recent versions of the database and application server. So far, the results are mixed, but encouraging. Although, more time has to elapse to see what security bugs are in the queue.
Mary Ann Davidson, Oracle CSO, frequently talks about secure coding and how vendors should be more public about their development practices. I would really like to know what Oracle is doing about the large database code base where over 150 security bugs have been fixed to date. Oracle has purchased Fortify as a source code scanning tool, but is there a team of 20 or 100 people dedicated to reviewing every line of code. Many of the security bugs being found today could have been found internally 3 or 4 years ago.
Categories:
April 20, 2007
Oracle 9.2.0.8 April 2007 CPU Patch Available
Oracle has released the Oracle 9.2.0.8 April 2007 Critical Patch Update (CPU) Windows 32-bit patch much ahead of scheduled April 30th date. Media reports (here) were critical of Oracle's failure to release this patch in a timely manner due to the severity of one of the bugs affecting the database running on the Windows platform.
However, the Oracle E-Business Suite patch available matrix has not yet been updated (Metalink Note ID 420072.1) to reflect the change and still has the April 30th date. It is most likely just an oversight, although the issue with the patch may be related to the Oracle E-Business Suite. If you are planning on or need to apply the patch this weekend, you should open a TAR with Oracle to verify the correct course of action.
However, the Oracle E-Business Suite patch available matrix has not yet been updated (Metalink Note ID 420072.1) to reflect the change and still has the April 30th date. It is most likely just an oversight, although the issue with the patch may be related to the Oracle E-Business Suite. If you are planning on or need to apply the patch this weekend, you should open a TAR with Oracle to verify the correct course of action.
April 10, 2007
Critical Patch Update April 2007 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming April 2007 Critical Patch Update (CPU) -
Oracle Application Server
Oracle E-Business Suite 11i and R12
Planning Impact
Note: The pre-release announcement is removed when the CPU is released.
- Overall, 37 security vulnerabilities are fixed in this CPU, which is much lower than average but in the range of previous CPUs (Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix is similar to previous CPUs with the notable addition of Oracle Secure Enterprise Search. All supported Oracle Database, Oracle Application Server, Oracle Enterprise Manager, and Oracle E-Business Suite versions are included.
- There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities. Most previous database vulnerabilities require database authentication to exploit.
- Two of the vulnerabilities impact database client installations, which may require a significant patching effort.
- At least two of the database security vulnerabilities have a CVSS metric of 7.0, which for database vulnerabilities is severe (7.0 is really the practical maximum for a database vulnerability).
- The major version support change is that it appears 10.2.0.1 will not be supported for the major platforms (Sun Solaris SPARC, HP/UX, IBM AIX, Linux, Windows x86).
Oracle Application Server
- The security vulnerabilities exist in COREid Access, Discoverer, Portal, Wireless, Workflow, and Secure Enterprise Search. None of the issues appear to affect the Oracle HTTP Server (Apache).
- The major version support changes are that Oracle Application Server 9.0.4.1 and 9.0.4.2 are no longer supported.
Oracle E-Business Suite 11i and R12
- There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities. These security bugs most likely exist in iStore, iSupport, and/or iProcurement, which will require immediate patching.
- All supported versions are included (11.5.7 to 11.5.10 CU2 and 12.0.0).
- Error Correction Support (ECS) for 11.0.3 ended February 28, 2007. There are no CPU patches available for 11.0.3 after the January 2007 CPU, even though many of the security vulnerabilities most likely exist in this version.
Planning Impact
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- The database client patches will need to be carefully evaluated to determine the impact and potential patching effort.
- Customers running iStore, iSupport, and/or iProcurement should considering applying these patches ASAP.
Note: The pre-release announcement is removed when the CPU is released.
March 20, 2007
Oracle and Symantec Threat Report: Bad Counting?
Usually, I am not in the position to defend Oracle on the number of vulnerabilities fixed, but the recent Symantec Internet Security Threat Report inflated the vulnerability count for Oracle by comparing apples and oranges. This version of the Threat Report contains a comparison of the number of vulnerabilities found in five leading relational databases (Oracle, IBM DB2, Microsoft SQL Server, MySQL, and PostgreSQL). Oracle looks really bad with 168 vulnerabilities published during the second half of 2006 as compared to 5 for IBM DB2 and 0 for Microsoft SQL Server during the same period. I am not here to defend Oracle as the true number is way more than 5, however, it is far less than 168 when only comparing database vulnerabilities to database vulnerabilities.
Our internal count puts the Oracle Database-only published vulnerability count for the second half of 2006 at 49. In the most limited installation of the Oracle RDBMS without any optional products, the number of vulnerabilities would be about 20. The Symantec report does address the feature issue by saying -
Our internal count puts the Oracle Database-only published vulnerability count for the second half of 2006 at 49. In the most limited installation of the Oracle RDBMS without any optional products, the number of vulnerabilities would be about 20. The Symantec report does address the feature issue by saying -
"Oracle’s database implementations offer a greater feature set and a broader range of database products than many of the other database vendors. The more features an application has, the more code that is available in which to find vulnerabilities, and the more code that must be audited for vulnerabilities. This can equate to a higher proportion of vulnerabilities, depending on the nature and complexity of the features."
What I find interesting is that Symantec appears to have been able to filter IBM WebSphere and other IBM products from the IBM DB2 count, but did not do the same for Oracle (based on a quick search of NVD).
Categories:
January 16, 2007
Oracle January 2007 CPU Initial Thoughts
Oracle has released the January 2007 Critical Patch Update (CPU). A major change for this quarter's CPU was the release of a pre-announcement on January 11th giving an overview of the products patches and a summary of the vulnerabilities. On the surface, the pre-announcement looked pretty bad with the highest CVSS base score being 7.0 for the database, Enterprise Manager, and E-Business Suite. However, the worst database vulnerabilities are exclusively in the Oracle HTTP Server, which is an optional component for the database.
Generally, the CPU is very similar to previous quarters in terms of the types of vulnerabilities and scope. The most disconcerting issue is that the same packages keep appearing in the CPUs - sys.dbms_capture_adm_internal (January 2006) and sys.dbms_cdc_subscribe (April 2005).
The worst vulnerabilities are in the Oracle HTTP Server SSL Module (OpenSSL) with OpenSSL versions prior to 0.9.7l and 0.9.8d being vulnerable. SSL must be configured for the Oracle HTTP Server in order to exploit these bugs. Only the 9i versions (9.0 and 9.2) of the Oracle Database HTTP Server and Oracle E-Business Suite Oracle Application Server (1.0.2.2) are vulnerable, not any supported versions of the Oracle Application Server. If you are running a desupported version of the Oracle Application Server, you most likely are vulnerable to these OpenSSL bugs.
Here are some further observations -
Overall, I think Oracle is beginning to get a little sloppy with the Critical Patch Update process as there seems to be many more missing patches and minor errors in the advisory and notes (incorrect titles, etc.). The whole process from an internal Oracle perspective is very complex with the number of products and platforms involved, but after 2 years of CPUs Oracle should have the internal handling of CPUs in a little better shape.
Generally, the CPU is very similar to previous quarters in terms of the types of vulnerabilities and scope. The most disconcerting issue is that the same packages keep appearing in the CPUs - sys.dbms_capture_adm_internal (January 2006) and sys.dbms_cdc_subscribe (April 2005).
The worst vulnerabilities are in the Oracle HTTP Server SSL Module (OpenSSL) with OpenSSL versions prior to 0.9.7l and 0.9.8d being vulnerable. SSL must be configured for the Oracle HTTP Server in order to exploit these bugs. Only the 9i versions (9.0 and 9.2) of the Oracle Database HTTP Server and Oracle E-Business Suite Oracle Application Server (1.0.2.2) are vulnerable, not any supported versions of the Oracle Application Server. If you are running a desupported version of the Oracle Application Server, you most likely are vulnerable to these OpenSSL bugs.
Here are some further observations -
- The 9.2.0.8 database patch is really the October 2006 CPU patch, which was released late on December 29, 2006. I am assuming Oracle just rolled-up any January 2007 fixes in the October 2006 patch, although it could be a mistake in the advisory.
- For 10.2.0.3, the installation note says the patch for 10.2.0.3 is "not applicable", but the advisory says the assessment of vulnerabilities in 10.2.0.3 is not complete and patches are forthcoming. When performing your risk and impact assessment, be sure to include 10.2.0.3 as needing to be patched.
- Again this quarter, a number of CPU patches are delayed including the following -
- Database patches 9.2.0.5 (Unix/Linux), 9.2.0.6, 10.1.0.3 (Unix/Linux), and 10.2.0.3. With the October 2006 CPU, some of these short delays did become almost 75 days.
- Oracle Application Server 9.0.4.1 (Unix/Linux)
- Oracle Identity Management 10.1.4
- Oracle Enterprise Manager 10.2.0.1
Overall, I think Oracle is beginning to get a little sloppy with the Critical Patch Update process as there seems to be many more missing patches and minor errors in the advisory and notes (incorrect titles, etc.). The whole process from an internal Oracle perspective is very complex with the number of products and platforms involved, but after 2 years of CPUs Oracle should have the internal handling of CPUs in a little better shape.
January 03, 2007
October 2006 CPU and 9.2.0.8 - Patches Finally Available
If you haven't noticed due to the holidays, Oracle has finally released the October 2006 Critical Patch Update (CPU) for 9.2.0.8 on Unix/Linux and Windows. These patches were released 75 days after the CPU and at least 45 days after the initial projected date.
The 9.2.0.8 Database patch should be applied for all Oracle E-Business Suite databases running 9.2.0.8, even though the patch is not listed in the CPU documentation for the E-Business Suite.
December 21, 2006
Integrigy Oracle Listener Security Check Tool Updated (version 2.2)
We have updated our free Oracle Database Listener Security Check tool that analyzes security of the Oracle Database TNS Listener to identify potential security issues.
Two new features have been added from upcoming changes to our AppSentry security auditing tool -
The AppSentry Listener Security Check Tool is available for download at -
http://www.integrigy.com/security-resources/whitepapers/lsnrcheck-tool/view
Two new features have been added from upcoming changes to our AppSentry security auditing tool -
- Checks all the entries in a tnsnames.ora file for four security configuration issues in the database listener
- Generate TNS entries and JDBC connect strings (6 different ways) for enumerated SIDs
The AppSentry Listener Security Check Tool is available for download at -
http://www.integrigy.com/security-resources/whitepapers/lsnrcheck-tool/view
Categories:
December 18, 2006
Integrigy Oracle Listener Security Check Tool Updated
We have updated our free Oracle Database Listener Security Check tool that analyzes security of the Oracle Database TNS Listener to identify potential security issues. The tool performs four basic checks for the Database Listener in a simple and user friendly way - (1) is a listener password set, (2) is ADMIN_RESTRICTIONS set, (3) is logging enabled, and (4) is LOCAL_OS_AUTHENTICATION enabled for Oracle 10g. It is a single executable that can be run from any Windows XP/2000 PC, requires no Oracle client install, and can be run from a USB key.
The following enhancements are in the new version -
The AppSentry Listener Security Check Tool is available for download at -
http://www.integrigy.com/security-resources/whitepapers/lsnrcheck-tool/view
The following enhancements are in the new version -
- Fully compatible with Oracle 10g (10.1 and 10.2)
- New Oracle Applications 11i check for database and FNDFS listeners
- New enumeration of all instances for a listener
- Saves history of servers and ports for easy access
The AppSentry Listener Security Check Tool is available for download at -
http://www.integrigy.com/security-resources/whitepapers/lsnrcheck-tool/view
Categories:
