Critical Patch Update October 2007 Pre-Release Analysis

12 Oct

Critical Patch Update October 2007 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming October 2007 Oracle Critical Patch Update (CPU) -

  • Overall, 51 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix is similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  There are no new vulnerabilities in Oracle Collaboration Suite.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.8, 11.5.9, 11.5.10.x, and 12.0.x
  • Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request.  Fortunately according to the July 2007 CPU note (Metalink Note ID 432873.1), all supported platform/version combinations will have patches proactively released for the October 2007 CPU.  The database note for the October 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.
  • This is the first CPU using version 2.0 of the CVSS metric.  CVSS 2.0 scores seem to be more consistent, but still grossly understate the severity of many database and application vulnerabilities.  Even a vulnerability may allow a complete compromise of the database, the score is less than 7.

Oracle Database

  • There are 5 remotely exploitable without authentication vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.  Depending on the exact nature of the 5 remotely exploitable without authentication vulnerabilities, this quarter's CPU could prove to be the most critical in the past 2 years.
  • At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.
  • The major version support change for this quarter is that 9.2.0.7 is no longer supported.

Oracle Application Server

  • 7 of the 11 vulnerabilities are remotely exploitable without authentication.  A number of these vulnerabilities are probably related to recently fixed Apache which is the base of the Oracle HTTP Server.  Organizations with Internet facing Application Server deployments will most likely want to prioritize this quarter's CPU patches as Oracle HTTP Server, Oracle Single Sign-on, and Oracle Portal are all affected.
  • There are no major changes to the support Oracle Application Server versions for this quarter.

Oracle E-Business Suite 11i and R12

  • Only 1 of the 8 vulnerabilities in the Oracle E-Business Suite is remotely exploitable without authentication. 
  • All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.3).  This will be the last CPU for 11.5.8.

Planning Impact

  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released.

 Share this post