Blogs

This quarters Oracle Critical Patch Update (CPU) will be released on Tuesday, July 17th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday after the release.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, July 19 at 9:00 am and 5:00 pm U.S. Eastern Time

Here is a brief analysis of the pre-release announcement for the upcoming July 2007 Critical Patch Update (CPU) -

Network security expert Richard Bejtlich recently posted some interesting comments regarding Oracle Security on his blog TaoSecurity.

Oracle has released the latest ATG rollup RUP5 (official name is 11i.ATG_PF.H.delta.5).  From a security perspective, RUP5 is important in three regards -

1. The ATG rollups contain a number of security enhancements
2. RUP5 incorporates ATG CPU patches from January 2005 to January 2007
3. Starting with the July 2007 CPU, only RUP(n) and RUP(n-1) will be supported

RUP5 Security Enhancements

Oracle has released the Oracle 9.2.0.8 April 2007 Critical Patch Update (CPU) Windows 32-bit patch much ahead of scheduled April 30th date.  Media reports (here) were critical of Oracle's failure to release this patch in a timely manner due to the severity of one of the bugs affecting the database running on the Windows platform.

Oracle released the tenth Critical Patch Update (CPU) yesterday.  This quarter is the same as the previous nine with many patches and long hours in order to get all the security patches applied in a timely manner.  Fortunately, this quarter there are no patches required for the Oracle Application Server or Developer 6i.  For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.1 patch.

Integrigy has released an advisory regarding an undisclosed security vulnerability in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS).

Here is a brief analysis of the pre-release announcement for the upcoming April 2007 Critical Patch Update (CPU) -

We have updated our Oracle Applications 11i Security Quick Reference to include new information and for 11.5.10 CU2.  The Quick Reference is a simple two-pager meant to highlight some key security areas and settings.

Oracle Applications 11i Security Quick Reference