Oracle January 2007 CPU Initial Thoughts
Oracle has released the January 2007 Critical Patch Update (CPU). A major change for this quarter's CPU was the release of a pre-announcement on January 11th giving an overview of the products patches and a summary of the vulnerabilities. On the surface, the pre-announcement looked pretty bad with the highest CVSS base score being 7.0 for the database, Enterprise Manager, and E-Business Suite. However, the worst database vulnerabilities are exclusively in the Oracle HTTP Server, which is an optional component for the database.
Generally, the CPU is very similar to previous quarters in terms of the types of vulnerabilities and scope. The most disconcerting issue is that the same packages keep appearing in the CPUs - sys.dbms_capture_adm_internal (January 2006) and sys.dbms_cdc_subscribe (April 2005).
The worst vulnerabilities are in the Oracle HTTP Server SSL Module (OpenSSL) with OpenSSL versions prior to 0.9.7l and 0.9.8d being vulnerable. SSL must be configured for the Oracle HTTP Server in order to exploit these bugs. Only the 9i versions (9.0 and 9.2) of the Oracle Database HTTP Server and Oracle E-Business Suite Oracle Application Server (1.0.2.2) are vulnerable, not any supported versions of the Oracle Application Server. If you are running a desupported version of the Oracle Application Server, you most likely are vulnerable to these OpenSSL bugs.
Here are some further observations -
- The 9.2.0.8 database patch is really the October 2006 CPU patch, which was released late on December 29, 2006. I am assuming Oracle just rolled-up any January 2007 fixes in the October 2006 patch, although it could be a mistake in the advisory.
- For 10.2.0.3, the installation note says the patch for 10.2.0.3 is "not applicable", but the advisory says the assessment of vulnerabilities in 10.2.0.3 is not complete and patches are forthcoming. When performing your risk and impact assessment, be sure to include 10.2.0.3 as needing to be patched.
- Again this quarter, a number of CPU patches are delayed including the following -
- Database patches 9.2.0.5 (Unix/Linux), 9.2.0.6, 10.1.0.3 (Unix/Linux), and 10.2.0.3. With the October 2006 CPU, some of these short delays did become almost 75 days.
- Oracle Application Server 9.0.4.1 (Unix/Linux)
- Oracle Identity Management 10.1.4
- Oracle Enterprise Manager 10.2.0.1
Overall, I think Oracle is beginning to get a little sloppy with the Critical Patch Update process as there seems to be many more missing patches and minor errors in the advisory and notes (incorrect titles, etc.). The whole process from an internal Oracle perspective is very complex with the number of products and platforms involved, but after 2 years of CPUs Oracle should have the internal handling of CPUs in a little better shape.