Oracle released the eighteenth Critical Patch Update (CPU) on Tuesday, April 14, 2009 (CPU April 2009/CPUApr09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 43 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
Again this quarter there are a number of database vulnerabilities that can be exploited by lowly privileged database accounts, including the APPLSYSPUB account. Also, there are 2 denial of service vulnerabilities - one in the database listener and the other in the RAC Cluster Ready Services.
For the Application Server, no action is required for Oracle E-Business Suite 11i. For R12, there is a serious vulnerability in OPMN which is installed and used and multiple issues in BI Publisher (formerly XML Publisher).
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 22.214.171.124, 10.1.0.5, 10.2.0.4, 126.96.36.199, and 11.1.07 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -