We have released our quarterly Oracle E-Business Suite Impact analysis for the Oracle Critical Patch Update (CPU) January 2007. This analysis looks at the CPU from an Oracle E-Business Suite perspective and provides additional details on the fixed vulnerabilities and a patching strategy for the Oracle Database, Oracle Application Server, Oracle Developer 6i, Oracle JInitiator, and Oracle Applications 11i.
This quarter is the same as the previous nine with many patches and long hours in order to get all the security patches applied in a timely manner. In terms of certification, 220.127.116.11 and Developer 6i Patchset 17 are not longer certified with Oracle Applications and the security patches.
The most critical vulnerability is in the SSL component of the Oracle HTTP Server. If you are running Oracle Applications connected to the Internet and using SSL (which is highly recommended), you should carefully review the impact of this vulnerability and the risk to your organization.
The CPU includes an interesting enhancement to Account Payable that removes employee taxpayer IDs from being displayed on the Supplier Entry form and when not necessary in reports. Based on your organization's privacy policies, you will may need to implement this AP patch.
On the positive side, most of the Oracle Applications patches are for security weaknesses (like storing some ancillary passwords in plain-text) rather than critical and readily exploitable security vulnerabilities.
The analysis is available here - January 2007 CPU Oracle E-Business Suite Impact
There is also a CPU certified technology stack matrix available - January 2007 CPU Oracle E-Business Suite Technology Matrix