Oracle Critical Patch Update July 2010 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming July 2010 Oracle Critical Patch Update (CPU) -

Overall, 38 Oracle security vulnerabilities are fixed in this CPU, which is a below average number but well within the range of previous CPUs (Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
The Oracle product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -

Database = 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 for major platforms
Application Server = 10.1.2.3.0
E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x

The highlight of this CPU is 4 of 6 Oracle Database security vulnerabilities are remotely exploitable without authentication. It is rare to have a single remotely exploitable without authentication vulnerability in the database. Most likely these 4 vulnerabilities are in the Listener, Net Foundation Layer, Network Layer, and/or APEX Application Builder. If the remotely exploitable vulnerabilities are in the Listener component, then this could only be a denial of service vulnerabilities.
There are no major version support changes in for this CPU.
Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2010 CPU E-Business Suite Impact Webinar Thursday, July 22, 2pm ET and (2) Oracle July 2010 CPU Oracle Database Impact Webinar Thursday, July 29, 2pm ET.

Oracle Database

There are 6 database vulnerabilities and four are remotely exploitable without authentication.
Since at least one database vulnerability has a CVSS 2.0 metric of 7.8 (practical maximum for a database vulnerability), this is a fairly important CPU. Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.

Oracle Application Server

There are seven new Oracle Application Server vulnerabilities, five of which are remotely exploitable without authentication. For Oracle Application Server implementations, there is only one vulnerability in the Application Server Control. Usually, vulnerabilities in the control utilities are only locally exploitable and require a local operating system account to exploit.

Oracle E-Business Suite 11i and R12

There are 7 new Oracle E-Business Suite 11i and R12 vulnerabilities, five of which are remotely exploitable without authentication.
The vulnerabilities are in the Oracle Advanced Product Catalog, Oracle Applications Framework (OAF), Oracle Applications Manager, and Oracle Knowledge Management. Of most interest will be the vulnerabilities in the Oracle Applications Framework (OAF) and these might exploitable in externally accessible web pages.

Planning Impact

We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. The only exception may be if the remotely exploitable Oracle Database vulnerabilities are more significant than previous vulnerabilities in the networking components.
As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in the Oracle Applications Framework to determine if these pages are blocked by the URL firewall. If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.