New information has been released for an Oracle E-Business Suite 11i security vulnerability fixed as part of the April 2007 Critical Patch Update. The vulnerability was discovered by Joxean Koret and the TippingPoint Zero Day Initiative released the advisory. For those of you not familiar with the Zero Day Initiative, it is a security vendor sponsored program that pays for security vulnerability information.
The Oracle E-Business Suite R12 Release Update Pack (RUP6 or 12.0.6) was released on November 7, 2008. This is the latest cumulative update patch for all product families including Applications Technology (ATG). The patch is 2GB in size and can be applied on top of any R12 version. The only prerequisite step is to apply R12.AD.A.DELTA.6 (7305220). See Metalink Note ID 743368.1 for more information.
Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server). The CVE ID is CVE-2008-3257. The CVSS 2.0 score for this vulnerability is 10 out of 10. To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.
In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.). Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories. The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier. The format of the CVE identifier is (1)
This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th. In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday. The presentation will focus on the impact to Oracle E-Business Suite environments.
Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time
Oracle released the fourteenth Critical Patch Update (CPU) last week. This quarter is the same as the previous thirteen with many patches and long hours in order to get all the security patches applied in a timely manner. Around 20 of the 41vulnerabilities fixed impact the Oracle E-Business Suite. Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.
The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations. The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.
Here is a brief analysis of thefor the upcoming April 2008 Oracle Critical Patch Update (CPU) -
In the Oracle pre-release announcement for the April 2008 Critical Patch Update, one line in particular did catch my attention. I know Oracle has purchased many companies in the past few years. So how many products does Oracle have? Well, the CPU pre-release announcement states that --
For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content. COLLABORATE 08 is next week, Sunday, April 13 through Thursday, April 17 in Denver. This year there will be over 500 technical sessions covering virtually every Oracle product.
A point of contention and confusion regarding Oracle Critical Patch Update (CPU) database patches is that only a limited set of database patchsets are supported. For the January 2008 CPU, only the patchsets 188.8.131.52, 10.1.0.5, 10.2.0.2, 10.2.0.3, and 184.108.40.206 are supported. Oracle's policy is stated in the CPU Frequently Asked Questions (FAQ) (Metalink Note ID 360470.1) -
An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes. The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult to to determine the true impact of a specific CPU patch. By including non-security related fixes in the CPU patch reduces the confidence that the patch will not break something.
Since several new Oracle exploits were published this week, I thought it would be a good time to provide some background on exploits.
This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, January 15th. In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday. The presentation will focus on the impact to Oracle E-Business Suite environments.
Thursday, January 17 at 9:00 am and 5:00 pm U.S. Eastern Time