The Oracle Global Product Security Blog

Hello, this is Bruce Lowenthal, Director of the Security Alerts Team.  This note is to announce the publishing of the Pre-Release Announcement of the April 2007 Critical Patch Update (CPU).   This Pre-Release Announcement provides a summary of the information that will be published as the April 2007 Critical Patch Update Advisory on April 17, 2007.  It contains the following information:

• Name and version numbers of the Oracle products affected by new vulnerabilities that are fixed in the CPU
• Specific product components affected
• The number of vulnerabilities being fixing in total and in each suite
• The CVSS base score of the most severe vulnerability in total and in each suite.  Note that CVSS scores for all vulnerabilities will be provided in the CPU Advisory itself.
• Additional information that may be relevant to help customers plan for the application of the CPU in their environment

While Oracle tries to make CPU Pre-Release Announcements as accurate as possible at the time of their publication, the information they contain may change before the actual publication of the CPU.

The April 2007 Critical Patch Update will be released on Tuesday, April 17^th.  The Critical Patch Update Pre-Release Announcement can be found online on the Critical Patch Update and Security Alerts page on Oracle Technology Network.

Hello, this is Eric Maurice, Manager for Security in Oracle�s Global Technology Business Unit.

 

Today, Oracle released its April 2007 Critical Patch Update (CPUApr2007).  This Critical Patch Update (CPU) addresses a total of 36 vulnerabilities affecting Oracle Database Server and Client, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Applications.   

 

This release of the Critical Patch Update also marks a small milestone for Oracle Software Security Assurance: it is Oracle�s tenth Critical Patch Update.  On this tenth anniversary, I thought I would discuss some of the changes and enhancements that were brought with the Critical Patch Update. 

 

Started at the beginning of 2005 (the first Critical Patch Update was released on January 15, 2005), the Critical Patch Update effectively replaced the Security Alert system by providing a predictable schedule for the release of security patches.  Oracle�s Critical Patch Updates are released quarterly on the Tuesday closest to the 15^th of the months of January, April, July, and October.  However, Oracle may still deviate from the normal CPU schedule to respond to dangerous threats to our customers.  If necessary, Oracle will issue a Security Alert and customers will receive a timely notification of the Security Alert by email through support sites, e.g. MetaLink and Customer Connection, and Oracle Technology Network.

 

The predictability provided by the Critical Patch Update mechanism is very important to Oracle customers.  It results in enabling customers to plan for the Critical Patch Updates and install them in their normal maintenance windows, to avoid undue interruptions in their business-critical systems. 

 

Also, since the Critical Patch Update is cumulative for most Oracle products (the notable exception is E-Business Suite prior to Release 12), customers can usually move to the current patch level quickly by applying the most recent Critical Patch Update for their product.  With this Critical Patch Update, E-Business Suite customers will be happy to find out that Critical Patch Updates for E-Business Suite R12 are cumulative.

 

Over time the Critical Patch Update Documentation was also enhanced to make sure that customers derive more value from it.  For example, Oracle was one of the first vendors to support the Common Vulnerability Scoring System in the security advisories of its products.  The risk matrices in each CPU advisory provide the CVSS�s base score for the vulnerabilities fixed in the Critical Patch Update, and the vulnerabilities are ranked in the documentation in order of their CVSS severity.  This was an important enhancement, which contributed to significantly enhancing customers� ability to assess the severity of the vulnerabilities addressed in the Critical Patch Updates.  We also provide more information than required by the CVSS standard.  Darius Wiles, in a previous blog entry, discussed Oracle's implementation of CVSS, including the use of Oracle�s �Partial+� rating.  With the January 2007 Critical Patch Update, we also introduced the Critical Patch Update Pre-Release Announcement, to provide customers with an advanced preview of the upcoming Critical Patch Update.

 

Even as we reach our tenth Critical Patch Update milestone, the effort required to produce and test the patches for all products and platforms combinations in time for our quarterly release dates remains significant.  In an effort to provide enhanced support to our customers, we are introducing a change that will affect the content of all future Critical Patch Updates for Oracle Server and Middleware Products, i.e., �On Request� CPU releases for historically inactive combinations. 

 

We have noticed that there are certain platform and version combinations that historically have been inactive, i.e., customers seldom download Critical Patch Updates for these environments.  Starting with the July 2007 Critical Patch Update, instead of systematically creating a Critical Patch Updates for those inactive combinations, we will only produce those patches if clients specifically request them.  However we will continue to include those fixes in the main code line, including future releases and patch sets on all supported versions. 

 

This change should not affect most customers, as we are only targeting inactive combinations.  Oracle currently lists the versions and platforms that will receive patches in the next Critical Patch Update in Section 3.8 (�Planned Patches for Next CPU release�) of the Critical Patch Update Availability Information for Oracle Server and Middleware Products.  The �On Request� combinations will be identified in this list and customers requiring patches listed as �On Request� can request them from Oracle.  The documentation will also detail the process for making these requests.  As an example, MetaLink Note 420061.1, published with the April 2007 Critical Patch Update, will list the versions and platforms that will be supported in the July 17, 2007 Critical Patch Update. 

 

There are too many attributes to the Critical Patch Update to discuss in this blog entry.  Just as we continue to implement ways to improve our coding practices to minimize the impact of security flaws in our software, we continue to search for ways to enhance the Critical Patch Update process to reduce the impact of Oracle�s issuance of security fixes with customers. 

 

As usual, we highly recommend that customers apply all patches promptly.  The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts and PeopleSoft customers can download security updates on the Customer Connection portal.  The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources.  For example, for those of you who may be inexperienced with the Critical Patch Update, we recently recorded a technical webcast to discuss the use of One-Off Patch Installer (a.k.a. �OPatch�) with the Critical Patch Updates.

Hello, this is Eric Maurice again.  The purpose of this blog entry is to announce today�s availability of the April 2007 Critical Patch Update on all Windows 32 bit platforms.

 

Each Critical Patch Update (CPU) includes a number of fixes for security vulnerabilities that affect different versions of Oracle products across a number of platforms.  Technically, each Critical Patch Update consists of a number of sets of patches for each platform/version combination.  For example, the April 2007 Critical Patch Update provides sets of patches to fix 36 vulnerabilities affecting 7 main Oracle products (Oracle Database Server and Client, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Applications) across 20 different types of operating systems.

 

Patch quality is Oracle�s foremost priority, and as a result we thoroughly test each set of patches for all supported versions and platforms. And while we try to release all the sets of patches on the scheduled day of the Critical Patch Update, sometimes we have to delay publishing a small number of sets of patches affecting specific version/platform combinations until all testing issues have been resolved.

 

For example, MetaLink Note 42006.1.1 (Critical Patch Update Availability Information for Oracle Server and Middleware Products) documentation for the April 2007 Critical Patch Update states that the CPU includes a total of 93 planned sets of patches for Oracle Database Server.  While the vast majority of these sets of patches are already available, others will not be available for a few weeks. 

 

The original version of that MetaLink note stated that Windows 32-bit was not yet available for Database version 9.2.0.8.   At this time, however, the Critical Patch Update for the Windows 32-bit version of the 9.2.0.8 database has become available and the MetaLink note has been updated.

 

Oracle highly recommends that customers apply the most recent Critical Patch Update as soon as possible.  Furthermore, we also recommend that customers download and consult the most recent security documentations available from Oracle Technology Network or the Resource Library on the Oracle Software Security Assurance web site.