Oracle has released the Critical Patch Update (CPU) for October 2006. 101 new vulnerabilities across all Oracle products are fixed in this CPU of which 45 are remotely exploitable. The overall number is high as compared to previous CPUs, but includes a similar number of database and application server vulnerabilities. The spike is due to 35 vulnerabilities in Oracle Application Express (formerly HTMLDB).
A preliminary analysis shows, with the exception of the Oracle Application Express vulnerabilities, the patched vulnerabilities are similar to previous CPUs and there is nothing noteworthy. Most troubling is that Oracle needs to fix 10-30 vulnerabilities in the Oracle Database every quarter. The number of new vulnerabilities and reported unpatched vulnerabilities does not seem to be shrinking.
It appears, but we have not yet confirmed, that OHS01 is the mod_rewrite vulnerability (CVE-2006-3747) reported and fixed by Apache in July. If you are using mod_rewrite with 126.96.36.199 or higher, you may want to review the configuration conditions where this vulnerability is exploitable.
For the Oracle Database, the same database versions are supported as the July 2006 CPU and there are no patches required for 188.8.131.52 or 10.2.0.3. [CORRECTION: Oracle added on 19-Oct-06 that a patch will be available for 184.108.40.206 in mid-November.]
For the Oracle Application Server, CPU patches are not available for 220.127.116.11 as a standalone product and no patch is required for 10.1.4.0.1.
For the Oracle E-Business Suite 11i, as I have previously discussed, the major change is that ATG RUP3 or RUP4 is required to install any of the October 2006 CPU patches.
All customers using Oracle Application Express (HTMLDB) 1.5 to 2.0 for application development should quickly evaluate the impact these new vulnerabilities may have on their applications, especially those accessible via the Internet.
No new Oracle Collaboration Suite (OCS) vulnerabilities.
No new Oracle Enterprise Manager (OEM) vulnerabilities.
Although, OCS and OEM are affected by database and/or application server vulnerabilities.
With this CPU, Oracle has introduced several documentation changes. The most subtle (and unannounced) is that Oracle actually posted the total number of new vulnerabilities (101) clearly at the top of the documentation -- this will eliminate the miscounting seen in news reports with previous CPUs. The new executive summaries are very high level and provide no real details about the vulnerabilities. The inclusion of the CVSS matrices and base scores does provide a more standard approach to identifying the risk of each vulnerability.
We are working on our impact analysis for the Oracle E-Business Suite and should have it available in the next day or so.
17-Oct-06 - Initial Version
26-Oct-06 - Added information on 18.104.22.168 patch being available mid-November