Oracle Critical Patch Update July 2009 Pre-Release Analysis
Here is a brief analysis of the pre-release announcement for the upcoming July 2009 Oracle Critical Patch Update (CPU) -
- Overall, 33 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Apr-09=43, Jan-09=41, Oct-08=36, Jul-08=45, Apr-08=41, Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
- The product and vulnerability mix appears to be similar to previous CPUs. All CPU supported Oracle Database, Oracle Application Server, and Oracle E-Business Suite versions are included. The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
- Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, 10.2.0.4, 11.1.0.6, and 11.1.0.7 for major platforms
- Application Server = 9.0.4.3, 10.1.2, and 10.1.3
- E-Business Suite = 11.5.10.x, 12.0.x, and 12.1.x
- The highlight of this CPU are 3 remotely exploitable without authentication vulnerabilities in the Oracle Database. It is rare to have a single remotely exploitable without authentication vulnerability in the database and having three such vulnerabilities could make this a significant and high priority CPU. Most likely these 3 vulnerabilities are in the Listener, Network Authentication, and Network Foundation components.
- There are no major version support changes in for this CPU.
Oracle Database
- There are 10 database vulnerabilities and three are remotely exploitable without authentication. As previously noted, the three remotely exploitable without authentication vulnerabilities could make this one of the most critical quarterly releases in the past three years.
- The three remotely exploitable without authentication vulnerabilities are most likely in the Listener, Network Authentication, and Network Foundation components. One of these vulnerabilities has a CVSS 2.0 metric of 9.0, thus making this a highly critical patch.
- Similar to the January 2009 CPU, there are two critical vulnerabilities (one remotely exploitable without authentication and a CVSS 2.0 metric of 10).
Oracle Application Server
- There are two new Oracle Application Server vulnerabilities, both of which are remotely exploitable without authentication. In previous CPUs, the majority of Oracle Application Server vulnerabilities have tended to be remotely exploitable without authentication. The vulnerabilities are in the Core HTTP Server (Apache) and the Oracle Security Developer Tools. The highest CVSS 2.0 metric is a 5.0 suggesting that these are only of limited risk. For the Oracle HTTP Server which is based on Apache, Oracle provides security fixes for previously released Apache vulnerabilities several month later. Most likely this Core HTTP Server vulnerability is a fix for a previously released Apache vulnerability.
Oracle E-Business Suite 11i and R12
- There are 8 new Oracle E-Business Suite 11i and R12 vulnerabilities and five are remotely exploitable without authentication.
- Of most interest are the iSupplier Portal and iStore vulnerabilities, which may require immediate patching for Internet-facing implementations.
- This is the first CPU with a patch for 12.1.
Planning Impact
- The criticality of this quarter's CPU may be higher for the Oracle Database than previous CPUs.
- As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.