Critical Patch Update January 2008 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming January 2008 Oracle Critical Patch Update (CPU) -

  • Overall, 27 security vulnerabilities are fixed in this CPU, which is the lowest number of bugs fixed since the original CPU released in January 2005 that fixed 25 bugs (Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • This is the first CPU that includes fixes for Oracle 11g (11.1.0.6).
  • The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3, 11.1.0.6
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
  • Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the October 2007 CPU note (Metalink Note ID 455287.1), patches for 10.1.0.5 on several platforms will be available only upon request for the January 2008 CPU.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database

  • There are 8 database vulnerabilities and none are remotely exploitable.
  • At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
  • According to the October 2007 CPU notes, there is only limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the January 2008 CPU: AIX 5L, HP Itanium, HP/UX, IBM zLinux, Linux x86-64, Linux Itanium, and Linux on Power.  Key missing platforms include all Solaris and Windows operating systems.

Oracle Application Server

  • 5 of the 6 vulnerabilities are remotely exploitable without authentication, although none impact the Oracle HTTP Server (Apache).
  • A previously disclosed Jinitiator bug is fixed and the key to fixing this bug is removal of previous Jinitiator versions from all client PCs as well as upgrading Jinitiator on the application servers.  Whenever possible, Jinitiator should be upgraded to at least 1.3.1.29 or replaced with the Sun Java Plug-in.

Oracle E-Business Suite 11i and R12

  • 3 of the 7 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework, so all implementations should consider most of these patches as critical.
  • 11.5.8 is no longer supported, therefore, there is no CPU support.  April 2008 will be the last CPU for 11.5.9.

Planning Impact

  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.

 Share this post