Oracle Critical Patch Update July 2011 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2011 Oracle Critical Patch Update (CPU) -
- Overall, 55 Oracle security vulnerabilities (non-Solaris bugs) are fixed in this CPU, which is an above average number but well within the range of previous CPUs (Apr-11=47, Jan-11=43, Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
- The Oracle product and vulnerability mix appears to be similar to previous CPUs, with the only exception being a large number of Oracle Grid Control vulnerabilities fixed this quarter. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 188.8.131.52, 184.108.40.206, 220.127.116.11 for major platforms
- Application Server = 10.1.2.3.0, 10.1.3.5.0, 18.104.22.168.0, 22.214.171.124.0, and 126.96.36.199.0
- E-Business Suite = 188.8.131.52, 12.04, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
- As anticipated by Integrigy, this is the first CPU available for Oracle Database 184.108.40.206.
- For the Oracle E-Business, as of the July 2011 there is no CPU support for all versions prior to 220.127.116.11 and 12.0.0 - 12.0.5. We are not sure if it is a mistake in the CPU, but 12.0.4 is listed as a supported version. 18.104.22.168 requires the "Minimum Baseline for Extended Support" as specified in Metalink Note ID 883202.1.
- Based on the pre-release announcement, few determinations can be made as to the actual severity and impact on most organizations because of the varied components being patched this quarter. For the database, the highest CVSSv2 score is a 7.2 and 2 vulnerabilities are remotely exploitable without authentication. However, since 18 components are listed as being patched for the 13 vulnerabilities, it is hard to determine the impact without more details regarding individual vulnerabilities. We anticipate the highest scoring vulnerabilities will be the client-side and Database Vault vulnerabilities.
- Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle July 2011 CPU E-Business Suite Impact Webinar Thursday, July 28, 2pm ET and (2) Oracle July 2011 CPU Oracle Database Impact Webinar Tuesday, August 2, 2pm ET.
- There are 13 database vulnerabilities; 2 are remotely exploitable without authentication and 2 are applicable to client-side only installations.
- Since at least one database vulnerability has a CVSS 2.0 metric of 7.1 (important to high for a database vulnerability), this is a fairly important CPU.
- The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments. It will be interesting to see what the actual vulnerabilities are in these components: CMDB Metadata & Instance APIs, Content Management, Core RDBMS, Database Target Type Menus, Database Vault, EMCTL, Enterprise Config Management, Enterprise Manager Console, Event Management, Instance Management, Oracle Universal Installer, Schema Management, Security Framework, Security Management, SQL Performance Advisories/UIs, Streams, AQ & Replication Mgmt, and XML Developer Kit.
- In addition, there are 18 vulnerabilities in Oracle Enterprise Manager and 3 in Oracle Secure Backup.
Oracle Fusion Middleware
- There are 7 new Oracle Fusion Middleware vulnerabilities, 2 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
- All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.
Oracle E-Business Suite 11i and R12
- There is only one new Oracle E-Business Suite 11i and R12 vulnerability, which is remotely exploitable without authentication. Most likely the Business Intelligence vulnerability cannot be exploited externally in DMZ implementations.
- We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. Based on the patched components, this may be a lower than average risk CPU for specific databases based on configuration and installed options. It appears most of the vulnerabilities are related to Enterprise Manager components.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- For Oracle E-Business Suite customers, most likely the Business Intelligence will have to be applied to all implementations even if the Business Intelligence module is not installed, configured, or licensed.
Upcoming Integrigy CPU Webinars
Oracle July 2011 CPU E-Business Suite Impact
Thursday, July 28, 2pm ET
Oracle July 2011 CPU Oracle Database Impact
Tuesday, August 2, 2pm ET