Oracle Critical Patch Update January 2011 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming January 2011 Oracle Critical Patch Update (CPU) -
- Overall, 43 Oracle security vulnerabilities are fixed in this CPU, which is a average number and well within the range of previous CPUs (Oct-10=50, Jul-10=38, Apr-10=31, Jan-10=24, Oct-09=38, Jul-09=30, Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80). These numbers have been normalized for Oracle products and excludes any Sun products.
- The Oracle product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.1 for major platforms
- Application Server = 10.1.2.3.0, 11.1.1.2.0, and 11.1.1.3.0
- E-Business Suite = 11.5.10.x, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3
- The major versions no longer supported by Critical Patch Updates are Oracle Database 9.2.0.8 (July 2010) and Oracle Application Server/Fusion Middleware versions 10.1.3.5.0 and 11.1.1.1.
- The highlight of this CPU is 12 of 16 Oracle Application Server/Fusion Middleware security vulnerabilities are remotely exploitable without authentication with the highest CVSSv2 score being 10.0. The vulnerabilities are in Oracle BI Publisher, Oracle Discoverer, Oracle Document Capture, Oracle GoldenGate Veridata, Oracle HTTP Server, Oracle JRockit, Oracle Outside In Technology, Oracle WebLogic Server, and Services for Beehive components.
- Integrigy will be presenting more information on this CPU in the following webinars: (1) Oracle January 2011 CPU E-Business Suite Impact Webinar Thursday, January 27, 2pm ET and (2) Oracle January 2011 CPU Oracle Database Impact Webinar Thursday, February 3, 2pm ET.
Oracle Database
- There are 6 database vulnerabilities and 2 are remotely exploitable without authentication.
- Since at least one database vulnerability has a CVSS 2.0 metric of 7.5 (practical maximum for a database vulnerability), this is a fairly important CPU. Most likely, any database account, even a lowly privileged account, will be able to gain full-control of the database by exploiting the vulnerability.
- The components fixed by this CPU are not the usual suspects and several will not be implemented in many environments. It will be interesting to see what the actual vulnerabilities are in these components: Client System Analyzer, Cluster Verify Utility, Database Vault, Oracle Spatial, Scheduler Agent, and UIX.
Oracle Fusion Middleware
- There are 16 new Oracle Fusion Middleware vulnerabilities, 12 of which are remotely exploitable without authentication with the highest CVSS score being 10.0.
- Of critical importance will be the fixes in the Oracle HTTP Server and Oracle Web Logic Server. All Oracle Fusion Middleware implementations should carefully review this CPU to determine the exact impact to your environment.
Oracle E-Business Suite 11i and R12
- There are 2 new Oracle E-Business Suite 11i and R12 vulnerabilities, both of which are remotely exploitable without authentication.
- The vulnerabilities are Oracle Application Object Library and Oracle Common Applications. It is not clear if either of these modules can be exploited externally in DMZ implementations.
Planning Impact
- We anticipate the criticality of this quarter's CPU will be in-line with previous CPUs. The only exception may the significant number of Oracle Fusion Middleware remotely exploitable vulnerabilities, especially any in the Oracle HTTP Server.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.
- Oracle E-Business Suite customers with externally facing implementations should carefully review the remotely exploitable vulnerabilities in Application Object Library to determine if these pages are blocked by the URL firewall. If any of the vulnerable web pages are externally accessible, customers should look to immediately patch these environments.