Critical Patch Update April 2007 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming April 2007 Critical Patch Update (CPU) -

  • Overall, 37 security vulnerabilities are fixed in this CPU, which is much lower than average but in the range of previous CPUs (Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix is similar to previous CPUs with the notable addition of Oracle Secure Enterprise Search.  All supported Oracle Database, Oracle Application Server, Oracle Enterprise Manager, and Oracle E-Business Suite versions are included.

Oracle Database

  • There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.
  • Two of the vulnerabilities impact database client installations, which may require a significant patching effort.
  • At least two of the database security vulnerabilities have a CVSS metric of 7.0, which for database vulnerabilities is severe (7.0 is really the practical maximum for a database vulnerability).
  • The major version support change is that it appears 10.2.0.1 will not be supported for the major platforms (Sun Solaris SPARC, HP/UX, IBM AIX, Linux, Windows x86).

Oracle Application Server

  • The security vulnerabilities exist in COREid Access, Discoverer, Portal, Wireless, Workflow, and Secure Enterprise Search.  None of the issues appear to affect the Oracle HTTP Server (Apache).
  • The major version support changes are that Oracle Application Server 9.0.4.1 and 9.0.4.2 are no longer supported.

Oracle E-Business Suite 11i and R12

  • There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities.  These security bugs most likely exist in iStore, iSupport, and/or iProcurement, which will require immediate patching.
  • All supported versions are included (11.5.7 to 11.5.10 CU2 and 12.0.0).
  • Error Correction Support (ECS) for 11.0.3 ended February 28, 2007.  There are no CPU patches available for 11.0.3 after the January 2007 CPU, even though many of the security vulnerabilities most likely exist in this version.

Planning Impact

  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
  • The database client patches will need to be carefully evaluated to determine the impact and potential patching effort.
  • Customers running iStore, iSupport, and/or iProcurement should considering applying these patches ASAP.

Note: The pre-release announcement is removed when the CPU is released.

 Share this post