Critical Patch Update January 2007 Pre-Release Analysis

Here is a quick analysis of the pre-release announcement for the January 2007 Critical Patch Update (CPU) -

• Overall, 52 vulnerabilities are fixed in this CPU, which is inline with previous CPUs (Oct-06=101, Jul-06=63, Apr-06=36, Jan-06=82).
• The product mix is similar to previous CPUs with the notable addition of Oracle Identity Management 10.1.4.0.1.  All supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.
• A number of the vulnerabilities have a CVSS metric of 7.0, which for database and application vulnerabilities is severe.  7.0 is really the practical maximum for a database or application vulnerability. 
1. For the Oracle Database, there are one or more easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.
2. For the Oracle E-Business Suite, there are one or more easy to exploit, remotely exploitable, and authentication not required vulnerabilities.  It appears the most severe vulnerabilities are in Oracle Application Server 1.0.2.2, so Internet accessible Oracle Applications implementations should look to prioritize these patches.