Oracle Critical Patch Update April 2007 New Vulnerability Information

New information has been released for an Oracle E-Business Suite 11i security vulnerability fixed as part of the April 2007 Critical Patch Update.  The vulnerability was discovered by Joxean Koret and the TippingPoint Zero Day Initiative released the advisory.  For those of you not familiar with the Zero Day Initiative, it is a security vendor sponsored program that pays for security vulnerability information.

Oracle E-Business Suite 12.0.6 - Security Enhancements

The Oracle E-Business Suite R12 Release Update Pack (RUP6 or 12.0.6) was released on November 7, 2008.  This is the latest cumulative update patch for all product families including Applications Technology (ATG).  The patch is 2GB in size and can be applied on top of any R12 version.  The only prerequisite step is to apply R12.AD.A.DELTA.6 (7305220).  See Metalink Note ID 743368.1 for more information.

Urgent Oracle [BEA] WebLogic Security Patch (CVE-2008-3257)

Oracle today released an urgent, out-of-cycle security patch for a critical flaw in the Apache Connector component (mod_weblogic) of the Oracle WebLogic Server (formerly BEA WebLogic Server).  The CVE ID is CVE-2008-3257.  The CVSS 2.0 score for this vulnerability is 10 out of 10.  To put this into perspective, no previous Oracle vulnerability since Oracle began using CVSS base scores in October 2006 has scored a 10 and only 3 previous vulnerabilities (all related to Oracle Jinitiator) have scored 9 or higher.

Oracle Security Advisories and CVE Identifiers

In a major change to the Oracle security advisory process and Critical Patch Update documentation, CVE identifiers are now used in place of the Oracle proprietary numbering scheme (i.e., DB01, AS01, APP01, etc.).  Common Vulnerabilities and Exposures (CVE) is a standardized dictionary and identifiers of published security advisories.  The purpose of CVE is to provide a single identifier for security vulnerabilities so that vendors, tools, and organizations can all refer to the same vulnerability with a single identifier.  The format of the CVE identifier is (1)

OAUG eLearning: Oracle Critical Patch Update April 2008

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

Oracle Critical Patch Update - April 2008 - E-Business Suite Impact

Oracle released the fourteenth Critical Patch Update (CPU) last week.  This quarter is the same as the previous thirteen with many patches and long hours in order to get all the security patches applied in a timely manner.  Around 20 of the 41vulnerabilities fixed impact the Oracle E-Business Suite.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Integrigy COLLABORATE 08 Presentations On-line

The COLLABORATE 08 conference went very well this year with excellent attendance and, as usual, high quality and informative presentations.  The aspect I especially like about COLLABORATE as compared to other conferences is that it is user-driven and almost all the 500+ technical sessions were devoid of any marketing speak or selling of products.

"Hundreds of Oracle Products"

In the Oracle pre-release announcement for the April 2008 Critical Patch Update, one line in particular did catch my attention. I know Oracle has purchased many companies in the past few years.  So how many products does Oracle have?  Well, the CPU pre-release announcement states that --

COLLABORATE 08 Presentations

For those of you not familiar with COLLABORATE or have not previously attended, the Oracle Applications Users Group (OAUG), Independent Oracle Users Group (IOUG), and Quest have teamed together to host a user-driven event with exceptional content.  COLLABORATE 08 is next week, Sunday, April 13 through Thursday, April 17 in Denver.  This year there will be over 500 technical sessions covering virtually every Oracle product. 

Oracle Critical Patch Updates - Types of Fixes in Database Patches

An issue in applying Oracle Critical Patch Update (CPU) database security patches has been that the patches may include non-security related fixes.  The list of bugs fixed in the database patch readme is cryptic at best and it can be difficult to to determine the true impact of a specific CPU patch.  By including non-security related fixes in the CPU patch reduces the confidence that the patch will not break something.

Oracle Exploits

Since several new Oracle exploits were published this week, I thought it would be a good time to provide some background on exploits.

OAUG eLearning: Oracle Critical Patch Update January 2008

This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, January 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, January 17 at 9:00 am and 5:00 pm U.S. Eastern Time

Pages