Oracle Security Blog

Here is a brief analysis of the pre-release announcement for the upcoming July 2009 Oracle Critical Patch Update (CPU) -

Oracle has hinted at the upcoming release of Oracle E-Business Suite 11i.ATG_PF.H.delta.7 (or commonly referred to as RUP7) and will be most likely available in the next several months as it is currently under going internal testing.  Oracle Critical Patch Update patches for Oracle E-Business Suite 11i have the latest ATG RUP patches as a prerequisite - the official prerequisite is RUP N or RUP N-1 is required.  The last RUP was ATG RUP6 (5903765) released in October 20

The COLLABORATE 09 conference has completed and from all accounts was a success.  For those of you not familiar with COLLABORATE, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  This year's conference had over 1,000 technical sessions covering virtually every Oracle product.  Integrigy delivered 3 security related presentations and I have upload the presentations to our Security Resources section under Whitepapers and Presentations.  Here are the links

For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  COLLABORATE 09 is next week, Sunday, May 3 through Thursday, May 7 in Orlando.  This year there will be over 1,000 technical sessions covering virtually every Oracle product. 

Integrigy's CTO, Stephen Kost, will be presenting three technical sessions:

Oracle released the eighteenth Critical Patch Update (CPU) on Tuesday, April 14, 2009 (CPU April 2009/CPUApr09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 43 vulnerabilities fixed impact the Oracle E-Business Suite.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Oracle released the seventeenth Critical Patch Update (CPU) on Tuesday, January 13, 2009 (CPU January 2009/CPUJan09). This quarter is the same as the previous sixteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 10 of the 41 vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Here is a brief analysis of the pre-release announcement for the upcoming January 2009 Oracle Critical Patch Update (CPU) -

New information has been released for an Oracle E-Business Suite 11i security vulnerability fixed as part of the April 2007 Critical Patch Update.  The vulnerability was discovered by Joxean Koret and the TippingPoint Zero Day Initiative released the advisory.  For those of you not familiar with the Zero Day Initiative, it is a security vendor sponsored program that pays for security vulnerability information.

The Oracle E-Business Suite R12 Release Update Pack (RUP6 or 12.0.6) was released on November 7, 2008.  This is the latest cumulative update patch for all product families including Applications Technology (ATG).  The patch is 2GB in size and can be applied on top of any R12 version.  The only prerequisite step is to apply R12.AD.A.DELTA.6 (7305220).  See Metalink Note ID 743368.1 for more information.

Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server).  The CVE ID is CVE-2008-3257.  The CVSS 2.0 score for this vulnerability is 10 out of 10.  To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.

In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.).  Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories.  The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier.  The format of the CVE identifier is (1)

Here is a brief analysis of the pre-release announcement for the upcoming July 2008 Oracle Critical Patch Update (CPU) -

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations.  The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.