July 2008 Critical Patch Update Released
Hello, this is Eric Maurice again!
Oracle today released the July 2008 Critical Patch Update (CPUJul2008). While this is Oracle's fifteenth Critical Patch Update (CPU), and personally, my ninth CPU (I joined Oracle in time for CPUJul2006), I am still impressed with the dedication and great talent of everyone who is involved with the production of each CPU. Over the years, Oracle has introduced many enhancements to the CPU and successfully extended its scope to many products added via acquisition.
Today’s CPU is characterized by two significant developments: the adoption of the Common Vulnerabilities and Exposure (CVE) numbering scheme, and the inclusion of the BEA, TimesTen, and Hyperion product lines in the Critical Patch Update. But more on these topics later! Let’s first have a look at the content of this CPU.
Today’s CPU include fixes for 45 new security vulnerabilities across a wide range of products: Oracle Database Server, Oracle Application Server (including Hyperion Peformance Suite), Oracle TimesTen, Oracle Enteprise Manager, Oracle EBusiness Suite, Oracle PeopleSoft Enterprise, and Oracle WebLogic Server. Eleven of these vulnerabilies affect Oracle Database Server, and none of these Database Server vulnerabilities are remotely exploitable without authentication. The criticality for these 45 new vulnerabilities fixed in the CPU range between the CVSS base scores of 1.5 to 6.8 (on a scale of 10). See our previous blog entry series for more information about CVSS and an explanation of the CVSS base scoring formula. Finally note that none of these 45 fixes affect client-only installations.
As mentioned earlier in this blog, this CPU is also characterized by the adoption of the Common Vulnerabilities and Exposure (CVE) system. As explained on the CVE program web site, “CVE Identifiers (also called "CVE-IDs," "CVE names," "CVE numbers," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.” Starting with the July 2008 Critical Patch Update, Oracle will use these CVE identifiers to identify the vulnerabilities fixed in each new CPU, and will no longer use the proprietary numbering convention that was previously used in the CPU risk matrices. As a result, each new vulnerability fixed in the CPU will be assigned a unique CVE Identifier. This change was made possible because Oracle became a “Candidate Naming Authority” under the CVE program. Note that while the CPU documentation is the only authoritative source of information about vulnerabilities in Oracle products, and as such should remain the primary source of information about such vulnerabilities, the use of unique CVE identifiers should result in simplifying how Oracle vulnerabilities are identified in external security reports such as those produced by security researchers and vulnerability management systems. The use in the CPU documentation of CVE identifiers, along with the publication of the Common Vulnerability Scoring System (CVSS) base scores, is further evidence of Oracle’s customer focus in its vulnerability disclosure practices.
Finally, this Critical Patch Update also marks the inclusion of the BEA, TimesTen, and Hyperion product lines in the CPU process.
The inclusion of BEA in the CPU was particularly rapid because of the similarities that existed between the current CPU process at Oracle and the patching procedures previously in use at BEA. Furthermore, all involved in the CPU process have grown skilled with dealing with newly acquired companies, products (and people). The skillset with which Oracle successfully integrates acquisitions extends to all involved with Oracle Software Security Assurance.
Today, the CPU process provides a cohesive program for the patching of hundreds of Oracle products across many various platforms. Developed with customers in mind, the Critical Patch Update provides a predictable patching schedule that is designed to fall outside of typical blackout dates experienced by most customers (such as end of fiscal year, end of calendar year, etc.) As a result of this predictability (CPUs are issued on the Tuesday closest to the 15th of the months of January, April, July, and October), Oracle customers can leverage normal maintenance windows for deploying security updates to Oracle products, thus reducing interruptions to their production environment.
For More Information:
Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html
Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm
The CVE web site is located at: http://cve.mitre.org/
