Here is a brief analysis of the pre-release announcement for the upcoming January 2010 Oracle Critical Patch Update (CPU) -
- Overall, 24 security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 184.108.40.206, 10.1.0.5, 10.2.0.3, 10.2.0.4, and 220.127.116.11 for major platforms
- Application Server = 18.104.22.168, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU are 2 remotely exploitable without authentication vulnerabilities in the Oracle Database. It is rare to have a single remotely exploitable without authentication vulnerability in the database. Most likely these 2 vulnerabilities are in the Listener, APEX Application Builder, and/or Secure Backup. If the remotely exploitable vulnerabilities are in the Listener component, then this could be a significant and high priority CPU.
- There are no major version support changes in for this CPU.
- There are 10 database vulnerabilities and two are remotely exploitable without authentication.
- Since at least one database vulnerability has a CVSS 2.0 metric of 10.0, this is a strong indication there a buffer overflow in the Listener component that is remotely exploitable without authentication. Most likely, the CVSS metric for Windows will be 10.0 and will be 7.5 for Unix/Linux (even though you will be able to fully compromise the database).
Oracle Application Server
- There are three new Oracle Application Server vulnerabilities, all of which are remotely exploitable without authentication. The affected components are Access Manager Identify Server and Oracle Containers for J2EE. With maximum CVSS 2.0 metric of 5.0, these could be cross-site scripting (XSS) vulnerabilities based on the scores and components.
Oracle E-Business Suite 11i and R12
- There are 3 new Oracle E-Business Suite 11i and R12 vulnerabilities, all of which are remotely exploitable without authentication.
- The vulnerabilities are in the CRM Technical Foundation (mobile), AOL, and HRMS. Of most interest will be if the AOL vulnerability is in an externally accessible web page.
- The criticality of this quarter's CPU is in-line with previous CPUs.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.