• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• a review of the security vulnerabilities fixed in the CPU,
• an analysis of the required CPU patches,
• a discussion of a high-level patch strategy.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• Overall, 55 Oracle security vulnerabilities (non-Solaris bugs) are fixed in this CPU, which is an above average number but well within the range of previous CPUs (Apr-11=47, Jan-11=43, Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  
• The Oracle product and vulnerability mix appears to be similar to previous CPUs, with the only exception being a large number of Oracle Grid Control vulnerabilities fixed this quarter.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 for major platforms
  
• Application Server = 10.1.2.3.0, 10.1.3.5.0, 11.1.1.3.0, 11.1.1.4.0, and 11.1.1.5.0
  
• E-Business Suite = 11.5.10.2, 12.04, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
  
• As anticipated by Integrigy, this is the first CPU available for Oracle Database 11.2.0.2.
  
• For the Oracle E-Business, as of the July 2011 there is no CPU support for all versions prior to 11.5.10.2 and 12.0.0 - 12.0.5.  We are not sure if it is a mistake in the CPU, but 12.0.4 is listed as a supported version.  11.5.10.2 requires the "Minimum Baseline for Extended Support" as specified in Metalink Note ID 883202.1.
  
• Based on the pre-release announcement, few determinations can be made as to the actual severity and impact on most organizations because of the varied components being patched this quarter.  For the database, the highest CVSSv2 score is a 7.2 and 2 vulnerabilities are remotely exploitable without authentication.  However, since 18 components are listed as being patched for the 13 vulnerabilities, it is hard to determine the impact without more details regarding individual vulnerabilities.  We anticipate the highest scoring vulnerabilities will be the client-side and Database Vault vulnerabilities.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2011 CPU E-Business Suite Impact Webinar Thursday, July 28, 2pm ET and (2) Oracle July 2011 CPU Oracle Database Impact Webinar Tuesday, August 2, 2pm ET.

• There are 13 database vulnerabilities; 2 are remotely exploitable without authentication and 2 are applicable to client-side only installations.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 7.1 (important to high for a database vulnerability), this is a fairly important CPU.
  
• The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments.  It will be interesting to see what the actual vulnerabilities are in these components: CMDB Metadata & Instance APIs, Content Management, Core RDBMS, Database Target Type Menus, Database Vault, EMCTL, Enterprise Config Management, Enterprise Manager Console, Event Management, Instance Management, Oracle Universal Installer, Schema Management, Security Framework, Security Management, SQL Performance Advisories/UIs, Streams, AQ & Replication Mgmt, and XML Developer Kit.
• In addition, there are 18 vulnerabilities in Oracle Enterprise Manager and 3 in Oracle Secure Backup.

• There are 7 new Oracle Fusion Middleware vulnerabilities, 2 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
• All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.

• There is only one new Oracle E-Business Suite 11i and R12 vulnerability, which is remotely exploitable without authentication.  Most likely the Business Intelligence vulnerability cannot be exploited externally in DMZ implementations.
  

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  Based on the patched components, this may be a lower than average risk CPU for specific databases based on configuration and installed options.  It appears most of the vulnerabilities are related to Enterprise Manager components.
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• For Oracle E-Business Suite customers, most likely the Business Intelligence will have to be applied to all implementations even if the Business Intelligence module is not installed, configured, or licensed.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• Overall, 47 Oracle security vulnerabilities (non-Solaris bugs) are fixed in this CPU, which is an average number and well within the range of previous CPUs (Jan-11=43, Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  
• The Oracle product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 for major platforms
  
• Application Server = 10.1.2.3.0, 10.1.3.5.0, 11.1.1.2.0, 11.1.1.3.0, and 11.1.1.4.0
  
• E-Business Suite = 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
  
• As anticipated by Integrigy, this is the first CPU available for Oracle Database 11.2.0.2.
  
• For the Oracle E-Business, as of the April 2011 there is no CPU support for all versions prior to 11.5.10.2 and 12.0.0 - 12.0.5.  11.5.10.2 requires the "Minimum Baseline for Extended Support" as specified in Metalink Note ID 883202.1.
  
• The highlight of this CPU is 6 of 9 Oracle Application Server/Fusion Middleware security vulnerabilities are remotely exploitable without authentication with the highest CVSSv2 score being 10.0.  The vulnerabilities are in Oracle Help, Oracle HTTP Server, Oracle JRockit, Oracle Outside In Technology, Oracle Security Service, Oracle WebLogic Server, Portal, and Single Sign On components.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle April 2011 CPU E-Business Suite Impact Webinar Thursday, April 28, 2pm ET and (2) Oracle April 2011 CPU Oracle Database Impact Webinar Thursday, May 5, 2pm ET.

• There are 6 database vulnerabilities and 2 are remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 6.5 (important to high for a database vulnerability), this is a fairly important CPU.
  
• The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments.  It will be interesting to see what the actual vulnerabilities are in these components: Application Service Level Management, Database Vault, Network Foundation, Oracle Help, Oracle Security Service, Oracle Warehouse Builder, and UIX.  If the Network Foundation bug is a denial of service and most of the other components are not implemented in an environment, this could be one of the first CPUs to be classified as low risk for some Oracle databases.
  

• There are 9 new Oracle Fusion Middleware vulnerabilities, 6 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
• Of critical importance will be the fixes in the Oracle HTTP Server and Oracle Web Logic Server.  All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.

• There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities, two of which are remotely exploitable without authentication.
• The vulnerabilities are Oracle Application Object Library (AOL), Applications Install, and Web ADI.  It is not clear if the AOL vulnerabilities can be exploited externally in DMZ implementations.
  

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  The only exception may the significant number of Oracle Fusion Middleware remotely exploitable vulnerabilities, especially any in the Oracle HTTP Server.  For specific databases based on configuration and installed options, this may be a lower than average risk CPU.
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in Application Object Library to determine if these pages are blocked by the URL firewall.  If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.

• Overall, 43 Oracle security vulnerabilities are fixed in this CPU, which is a average number and well within the range of previous CPUs (Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  
• The Oracle product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.1 for major platforms
  
• Application Server = 10.1.2.3.0, 11.1.1.2.0, and 11.1.1.3.0
  
• E-Business Suite = 11.5.10.x, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
  
• The major versions no longer supported by Critical Patch Updates are Oracle Database 9.2.0.8 (July 2010) and Oracle Application Server/Fusion Middleware versions 10.1.3.5.0 and 11.1.1.1.
• The highlight of this CPU is 12 of 16 Oracle Application Server/Fusion Middleware security vulnerabilities are remotely exploitable without authentication with the highest CVSSv2 score being 10.0.  The vulnerabilities are in Oracle BI Publisher, Oracle Discoverer, Oracle Document Capture, Oracle GoldenGate Veridata, Oracle HTTP Server, Oracle JRockit, Oracle Outside In Technology, Oracle WebLogic Server, and Services for Beehive components.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle January 2011 CPU E-Business Suite Impact Webinar Thursday, January 27, 2pm ET and (2) Oracle January 2011 CPU Oracle Database Impact Webinar Thursday, February 3, 2pm ET.

• There are 6 database vulnerabilities and 2 are remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 7.5 (practical maximum for a database vulnerability), this is a fairly important CPU.  Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
• The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments.  It will be interesting to see what the actual vulnerabilities are in these components: Client System Analyzer, Cluster Verify Utility, Database Vault, Oracle Spatial, Scheduler Agent, and UIX.

• There are 16 new Oracle Fusion Middleware vulnerabilities, 12 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
• Of critical importance will be the fixes in the Oracle HTTP Server and Oracle Web Logic Server.  All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.

• There are 2 new Oracle E-Business Suite 11i and R12 vulnerabilities, both of which are remotely exploitable without authentication.
• The vulnerabilities are Oracle Application Object Library and Oracle Common Applications.  It is not clear if either of these modules can be exploited externally in DMZ implementations.
  

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  The only exception may the significant number of Oracle Fusion Middleware remotely exploitable vulnerabilities, especially any in the Oracle HTTP Server.
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in Application Object Library to determine if these pages are blocked by the URL firewall.  If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.

• Database inspection for regulatory compliance.
• Protection of sensitive data (credit card data, social security numbers, payroll data, etc)
• Database appraisal for excessive user privileges, unwarranted access, and access to insecure areas
• Validating internal database security standards – written and implemented.
• Confirming on-going database activity monitoring is implemented to ensure business requirements are satisfied, all attack vectors are covered, and alerting/reporting is active.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• a review of the security vulnerabilities fixed in the CPU,
• an analysis of the required CPU patches,
• a discussion of a high-level patch strategy.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

The news reports describing the October 2010 Oracle Critical Patch Update (CPU) are using terms like "giant", "massive", and practically every other known synonym for a really big security patch release.  These news reports must be resonating with CIOs and CSOs as Integrigy has received a number of client calls and a huge response to our upcoming webinars detailing this CPU.

As always a little perspective and analysis is required to quantify what is actually in the CPU and the risk to an organization.  First, lets look at the 85 vulnerabilities patched in the CPU to see how this CPU compares with previous CPUs -

• 75% (63 of 85) of the bugs fixed in this CPU are in products Oracle has acquired since the release of the first CPU in January 2005.

• 40% (36 of 85) of the bugs fixed in this CPU are in products Oracle has owned for less than a year (Sun).
• Only 7 database vulnerabilities are fixed this quarter where the historical average is 16.5 database bugs per quarter.
• Only 6 E-Business Suite vulnerabilities are fixed this quarter where the historical average is 9 bugs per quarter.

A more detailed look at the security bug count and maximum CVSS score by quarter shows this CPU for the Oracle Database and Oracle E-Business Suite is average or slightly below for both bug count and maximum CVSS score.  Integrigy's preliminary analysis of this CPU shows 4 of the 7 database vulnerabilities can be exploited with no database credentials or just CREATE SESSION system privilege, which is consistent with previous CPUs - the other 3 vulnerabilities actually require advanced or infrequently granted privileges or roles like EXECUTE_CATALOG_ROLE.

Clearly for the Oracle Database and Oracle E-Business Suite, this CPU is no different than the previous twenty-three CPUs and should be handled with the same processes and prioritization as previous CPUs.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• Overall, 38 Oracle security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).  These numbers have been normalized for Oracle products and excludes any Sun products.
  
• The Oracle product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
  
• Application Server = 10.1.2.3.0
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU is 4 of 6 Oracle Database security vulnerabilities are remotely exploitable without authentication.  It is rare to have a single remotely exploitable without authentication vulnerability in the database.  Most likely these 4 vulnerabilities are in the Listener, Net Foundation Layer, Network Layer, and/or APEX Application Builder.  If the remotely exploitable vulnerabilities are in the Listener component, then this could only be a denial of service vulnerabilities.
• There are no major version support changes in for this CPU.
• Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2010 CPU E-Business Suite Impact Webinar Thursday, July 22, 2pm ET and (2) Oracle July 2010 CPU Oracle Database Impact Webinar Thursday, July 29, 2pm ET.

• There are 6 database vulnerabilities and four are remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 7.8 (practical maximum for a database vulnerability), this is a fairly important CPU.  Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
  

• There are seven new Oracle Application Server vulnerabilities, five of which are remotely exploitable without authentication.  For Oracle Application Server implementations, there is only one vulnerability in the Application Server Control.  Usually, vulnerabilities in the control utilities are only locally exploitable and require a local operating system account to exploit.

• There are 7 new Oracle E-Business Suite 11i and R12 vulnerabilities, five of which are remotely exploitable without authentication.
• The vulnerabilities are in the Oracle Advanced Product Catalog, Oracle Applications Framework (OAF), Oracle Applications Manager, and Oracle Knowledge Management.  Of most interest will be the vulnerabilities in the Oracle Applications Framework (OAF) and these might exploitable in externally accessible web pages.

• We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs.  The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
• Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in the Oracle Applications Framework to determine if these pages are blocked by the URL firewall.  If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.

• a review of the security vulnerabilities fixed in the CPU,
• an analysis of the required CPU patches,
• a discussion of a high-level patch strategy.

• A review of the security vulnerabilities fixed in this CPU,
• An analysis of the required CPU patches,
• A discussion of patching including CPUs vs. PSUs.

• Overall, 24 security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU are 2 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database.  Most likely these 2 vulnerabilities are in the Listener, APEX Application Builder, and/or Secure Backup.  If the remotely exploitable vulnerabilities are in the Listener component, then this could be a significant and high priority CPU.
• There are no major version support changes in for this CPU.
  

• There are 10 database vulnerabilities and two are remotely exploitable without authentication.
  
• Since at least one database vulnerability has a CVSS 2.0 metric of 10.0, this is a strong indication there a buffer overflow in the Listener component that is remotely exploitable without authentication.  Most likely, the CVSS metric for Windows will be 10.0 and will be 7.5 for Unix/Linux (even though you will be able to fully compromise the database).

• There are three new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication.  The affected components are Access Manager Identify Server and Oracle Containers for J2EE.  With maximum CVSS 2.0 metric of 5.0, these could be cross-site scripting (XSS) vulnerabilities based on the scores and components.
  

• There are 3 new Oracle E-Business Suite 11i and R12 vulnerabilities, all of which are remotely exploitable without authentication.
• The vulnerabilities are in the CRM Technical Foundation (mobile), AOL, and HRMS.  Of most interest will be if the AOL vulnerability is in an externally accessible web page.
  

• The criticality of this quarter's CPU is in-line with previous CPUs. 
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

• Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
  
• The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database.  It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU.  Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
  
• There are no major version support changes in for this CPU.
  

• There are 10 database vulnerabilities and three are remotely exploitable without authentication.  As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
• The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components.  One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
• Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).

• There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools.  The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk.  For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later.  Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.
  

• There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
• Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
• This is the first CPU with a patch for 12.1.

• The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs. 
  
• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Oracle Applications Users Group (OAUG)

Independent Oracle Users Group (IOUG)

• Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
• The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
• Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.6 for major platforms
  
• Application Server = 9.0.4.3, 10.1.2, and 10.1.3
• E-Business Suite = 11.5.10.x, and 12.0.x
• The highlight of this CPU are 9 remotely exploitable without authentication vulnerabilities in Oracle Secure Backup.  All customers running Oracle Secure Backup will need to carefully evaluate the impact of these vulnerabilities.
• There are no major version support changes in for this CPU.  It is important to note that this will be the last CPU for database versions 10.2.0.2 and 10.2.0.3.
  

• There are 10 database vulnerabilities and none are remotely exploitable without authentication, which is consistent with previous CPUs.  Usually, the vast majority of database vulnerabilities require authentication.  However, it is highly likely a portion of these vulnerabilities can be exploited using only PUBLIC privileges accessible by all database accounts.
  
• The vulnerability of most interest is in the "Job Queue" component as there have been no previous vulnerabilities in this component.
  
• At least one of the database security vulnerabilities has a CVSS 2.0 metric of 5.5, which for database vulnerabilities should be considered medium to high risk for a database vulnerability.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
• There are 2 vulnerabilities in SQL*Plus Windows GUI (sqlplusw) client-side installation.  Previously, these type of client-side have been buffer overflows in passed parameters or environmental variables.
  

• There are 4 new Oracle Application Server vulnerabilities, 2 of which are remotely exploitable without authentication.  In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication.  The vulnerabilities are in OC4J, Oracle BPEL Process Manager, Oracle JDeveloper, and Oracle Portal.
  

• There are 4 new Oracle E-Business Suite 11i and R12 vulnerabilities and none are remotely exploitable without authentication.  It may be possible to exploit the one Oracle Applications Framework using any application account or generic accounts through modules such as iStore or iRecruitment.
  

• As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.