Hello, this is Eric Maurice!
Oracle today released the April 2008 Critical Patch Update (CPUApr2008). This Critical Patch Update (CPU) addresses a total of 41 vulnerabilities affecting Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications. Fifteen of these vulnerabilities are specific to Oracle Database Server (an additional two affects Application Express). Note however that a number of these Database Server vulnerabilities affect optional Database Server components, and only one of these Database Server vulnerabilities can be remotely exploitable without authentication.
While none of the Oracle Database Server fixes requires patching the database client-only installations, this CPU includes one fix for Oracle Application Server client-only installations. As with the previously released January 2008 CPU, this CPU includes an Application Server client fix to address a vulnerability affecting JInitiator, a web browser extension that enables end users to run Oracle Forms Services applications within their browser. This vulnerability only affects version 1.3.1.14 and earlier versions of JInitiator. Just like the previously fixed JInitiator vulnerabilities, this vulnerability has a CVSS score of 9.3 because it could allow an attacker to gain full control of the targeted client (e.g. workstation) at the Operating System level, but it cannot result in a compromise of the server component.
This fourteenth CPU also marks another milestone! For the first time, the CPU includes fixes for Oraclei??s Siebel CRM Applications. As a matter of policy, Oracle tries to synchronize the release of the security patches of acquired product lines with the CPUs, and ultimately ensure that new product lines join the CPU process (in the way that PeopleSoft, JD Edwards, and now Siebel have).
The CPU fixes for Siebel CRM Applications will be cumulative for the product line in which they apply (There are currently four supported product lines). This will allow customers who have previously skipped security patches to quickly catch up by applying the most current CPU.
The inclusion of Siebel Enterprise products in the CPU process provides former Siebel customers with a number of benefits. Under the Siebel model, security fixes were typically included, along with non-security fixes, in the i??Fix Packsi??. The most significant vulnerabilities could also be fixed with dedicated ad hoc (unscheduled and non-cumulative) fixes. The inclusion of Siebel Enterprise products in the CPU process therefore provides customers enhanced visibility to security fixes. In addition, customers benefit from the predictability of the CPU schedule, thus potentially reducing the cost of security management in their environment.
The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts. Oracle Technology Network also hosts additional information about Oraclei??s implementation of the CVSS 2.0 standard and a glossary of the terms used in the Risk Matrices in the CPU Advisory. The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources.
