Is the Oracle Critical Patch Update for October 2010 Massive?
The news reports describing the October 2010 Oracle Critical Patch Update (CPU) are using terms like "giant", "massive", and practically every other known synonym for a really big security patch release. These news reports must be resonating with CIOs and CSOs as Integrigy has received a number of client calls and a huge response to our upcoming webinars detailing this CPU.
As always a little perspective and analysis is required to quantify what is actually in the CPU and the risk to an organization. First, lets look at the 85 vulnerabilities patched in the CPU to see how this CPU compares with previous CPUs -
- 75% (63 of 85) of the bugs fixed in this CPU are in products Oracle has acquired since the release of the first CPU in January 2005.
- 40% (36 of 85) of the bugs fixed in this CPU are in products Oracle has owned for less than a year (Sun).
- Only 7 database vulnerabilities are fixed this quarter where the historical average is 16.5 database bugs per quarter.
- Only 6 E-Business Suite vulnerabilities are fixed this quarter where the historical average is 9 bugs per quarter.
A more detailed look at the security bug count and maximum CVSS score by quarter shows this CPU for the Oracle Database and Oracle E-Business Suite is average or slightly below for both bug count and maximum CVSS score. Integrigy's preliminary analysis of this CPU shows 4 of the 7 database vulnerabilities can be exploited with no database credentials or just CREATE SESSION system privilege, which is consistent with previous CPUs - the other 3 vulnerabilities actually require advanced or infrequently granted privileges or roles like EXECUTE_CATALOG_ROLE.
Clearly for the Oracle Database and Oracle E-Business Suite, this CPU is no different than the previous twenty-three CPUs and should be handled with the same processes and prioritization as previous CPUs.
Upcoming Integrigy Oracle Critical Patch Update Webinars
Oracle October 2010 CPU E-Business Suite Impact Webinar
Thursday, October 21, 2-3pm EDT
Oracle October 2010 CPU Oracle Database Impact Webinar
Thursday, October 28, 2-3pm EDT