Critical Patch Update July 2007 Pre-Release Analysis

Here is a brief analysis of the pre-release announcement for the upcoming July 2007 Critical Patch Update (CPU) -

  • Overall, 46 security vulnerabilities are fixed in this CPU, which is lower than average but in the range of previous CPUs (Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • The product and vulnerability mix is similar to previous CPUs with the notable addition of Oracle Application Express (APEX).  All supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included.  There are no new vulnerabilities in Oracle Enterprise Manager.
  • Oracle is instituting a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively developed. The CPU patches will only be available upon request.  Fortunately according to the April 2007 CPU note (Metalink Note ID 420061.1), all supported platform/version combinations will have patches proactively released for the July 2007 CPU.  The database note for the July 2007 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database

  • There are two easy to exploit, remotely exploitable, and authentication not required vulnerabilities, which are not typical of previous database vulnerabilities.  Most previous database vulnerabilities require database authentication to exploit.
  • At least one of the database security vulnerabilities has a CVSS metric of 4.2, which for database vulnerabilities should be considered high risk.
  • The major version support changes are that 10.1.0.4 and 10.2.0.1 will not be supported on any platform.

Oracle Application Server

  • The security vulnerabilities exist in Oracle JDeveloper, Oracle Internet Directory, and Oracle Single-Signon.  External application servers running OID or SSO should be prioritized as 3 of these vulnerabilities are remotely exploitable without authentication.  Although, the highest CSS metric is 2.3 for these vulnerabilities indicating they most likely are Cross Site Scripting (XSS) or Denial of Service (DoS) vulnerabilities.
  • The recently released (late June) version 10.1.3.3.0 must be patched.

Oracle E-Business Suite 11i and R12

  • There are six easy to exploit, remotely exploitable, and authentication not required vulnerabilities.  Some of these security bugs most likely exist in AOL, iRecruitment, Configurator and/or iExpense, which will require immediate patching.
  • 11.5.7 is not supported by the CPU due to the end of Premier Support in May 2007.
  • All supported versions are included (11.5.8 to 11.5.10 CU2 and 12.0.0 to 12.0.1).

Planning Impact

  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
  • Customers running iRecruitment or Configurator should considering applying these patches ASAP.

Note: The pre-release announcement is removed when the CPU is released.

 Share this post