Oracle released the nineteenth Critical Patch Update (CPU) on Tuesday, July 14, 2009 (CPU July 2009/CPUJul09). This quarter is the same as the previous eighteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 12 of the 30 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
The most interesting database vulnerabilities this quarter are three vulnerabilities in the network components of the Oracle Database (CVE-2009-1020, CVE-2009-1019, CVE-2009-1963). One of these vulnerabilities (CVE-2009-1019) is remotely exploitable without authentication.
For Internet-facing Oracle E-Business Suite environments, CVE-2009-1980 AOL, CVE-2009-1982 OAF, and CVE-2009-1983 iStore are all externally accessible and two are remotely exploitable without authentication. These customers should carefully review these vulnerabilities and patch as soon as possible.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 220.127.116.11, 10.1.0.5, 10.2.0.4, 18.104.22.168, and 22.214.171.124 for the database and ATG_PF.H RUP5 or RUP6 for the Oracle E-Business Suite 11i.
More information about the vulnerabilities and detailed recommendations on patching and testing is available at -