The Oracle Global Product Security Blog

Hello, this is Eric Maurice again!

Today Oracle released the April 2009 Critical Patch Update (CPUApr2009).

This Critical Patch Update (CPU) includes fixes for 43 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle WebLogic.

16 of the 43 vulnerabilities affect Oracle Database Server, and two of these 16 vulnerabilities are remotely exploitable without authentication. In addition, two of these sixteen vulnerabilities yield a CVSS Base Score exceeding 7.0 (NVD characterizes the severity of vulnerabilities with score between 7.0 and 10.0 as “High”).

The most severe Database Server vulnerability rates a CVSS Base Score of 9.0. It can potentially allow an attacker to gain full control of a vulnerable server. None of the Oracle Database Server 10g and 11g releases are affected by this vulnerability, however, this vulnerability does affect Oracle Database Server 9.2.0.8 and 9.2.0.8DV. Because of the severity of this vulnerability, organizations running vulnerable versions (Database Server 9.2.0.8 and 9.2.0.8DV) should plan to apply the Critical Patch Update as soon as possible. Furthermore, until these systems are patched, organizations should ensure that additional mitigation measures be implemented. Such measures may include additional monitoring of these systems and ensuring that appropriate network access control measures are implemented around them.

The second most severe Database Server vulnerability yields a CVSS score of 7.1. This is a severe CVSS Base Score however an attacker would need IMP_FULL_DATABASE privilege to exploit this vulnerability. IMP_FULL_DATABASE allows importing of databases and thus is a very high privilege, typically limited to trusted DBAs. Again, organizations are advised to apply the Critical Patch Update as soon as possible. In addition, until these systems are patched, organizations should ensure that the IMP_FULL_DATABASE privilege is limited to trusted administrators, and use of this privilege should be fully audited.

The Critical Patch Update also addresses eight new vulnerabilities with the Oracle WebLogic and AquaLogic product families. Two of these eight vulnerabilities have a CVSS Base Score of 10.0.

The first of these vulnerabilities affect JRockit, and encompasses a number of issues affecting the Sun Java Runtime Environment that were previously disclosed by Sun Microsystems. The Critical Patch Update includes all the applicable fixes that were previously released by Sun to solve these issues in JRockit.

The second of these vulnerabilities affects the WebLogic Server Plugins for Apache and IIS web servers. The CVSS Base Score is reported as 10.0 by Oracle, even though organizational security policies typically call for not running Web servers as root. In deployments when the Web server doesn’t run as root, the CVSS score for this vulnerability is 7.5 because a successful exploit of this vulnerability will not lead to a complete take over of the machine at the OS layer. Note that Oracle has addressed a series of issues in the WebLogic Server Plug-ins since the BEA acquisition, and the fixes for this plugin are cumulative. This means that this CPU patch includes all previously released fixes as well. Organizations are encouraged to apply this CPU as soon as possible in order to take advantage of these fixes.

The Critical Patch Update is in its fifth year of existence (the program was introduced in January 2005 and the current CPU is the 18th). Over the years, the program has proven to be flexible enough to accommodate additional product families (with the inclusion of PeopleSoft, Siebel, and BEA, among others), and continues to provide customers with a consistent process and predictable schedule to deal with security patches across their entire Oracle environment.

For More Information:

Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html

For more information about Oracle’s use of the CVSS standard, see: http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm

This is Reshma Banerjee again. In my last blog entry, I wrote about some of the things that are happening as a result of BEA’s transition into the various Oracle Software Security Assurance programs. Today, I will discuss the changes that affect the security advisories previously published by BEA.

Previously, BEA had a security advisory and patch release program similar to Oracle’s Critical Patch Update. However, as a result of the acquisition, the BEA process has been superseded by the Critical Patch Update process in order to maintain a consistent security patching and advisory experience for all Oracle customers regardless of the products they use. Some of the key changes are highlighted below.

The Critical Patch Updates are released on a quarterly basis, on dates provided a year in advance, thus providing customers a predictable security patching schedule. This predictability was not provided by BEA’s security advisory and patch release program, and it will be of great interest to BEA customers who will now be able to include security patching in their normal maintenance cycles.

Adding further to this predictability, Oracle publishes a summary of the Critical Patch Update Documentation on the Thursday prior to the release of each Critical Patch Update. The BEA advisories were included for the first time in the July 2008 Pre-Release Announcement. As for all other Oracle products, the Critical Patch Update Pre-Release Announcements for BEA products will provide advanced information about the upcoming Critical Patch Updates, including:
- Name and version numbers of the products affected by new vulnerabilities that are fixed in the Critical Patch Update
- Number of security fixes for each product suite
- Highest CVSS base score for each product suite
- And, potentially, any other information that may be relevant to help organizations plan for the application of the Critical Patch Update in their environment

The Critical Patch Update Pre-Release Announcements are posted on the Critical Patch Updates and Security Alerts page on Oracle’s web site, and are replaced on the day of the release of the Critical Patch Update with the actual Critical Patch Update Advisory document.

Obviously, the use of a common process for advising customers of security updates across all Oracle products results in bringing consistency to customers, who often have to deal with managing multiple Oracle products in an otherwise heterogeneous technical environment. The advance notification makes customers aware of the key security issues addressed in the CPU and whether they are affected by them. This advance notification also provides customers with the ability to assess the criticality of the vulnerabilities fixed in the CPU and allows them to prioritize their patching effort.

Another area of change will be with the content of the security advisories for BEA products. The Critical Patch Update documentation includes risk matrices for each product suite that receives new fixes in the CPU. These risk matrices are designed to help customers assess the risk posed by each newly-fixed security vulnerability in their specific environment. The risk matrices provide the following information:
- affected versions of the product,
- affected component and protocol,
- required packages/privileges and
- CVSS Base Score rating of the vulnerability
These risk matrices are designed to provide enough information to allow customers to assess the exploitability and impact of the vulnerability and to determine which components/product versions are affected for testing purposes. Vulnerabilities are listed in order of severity in the risk matrices, and as a result, customers can easily identify the vulnerabilities most critical to them. The risk matrices can also be used to single out the systems most at risk in a customer’s environment so that these systems can be patched first.

In the past, BEA advisories used an alternate form of risk assessment, which would be at times redundant to the type of information disclosed in the Oracle CPUs. In order to maintain consistency in the CPU documentation, this alternate form of risk assessment will no longer be provided. In addition, BEA used to provide specific information about the types of vulnerabilities fixed in the advisory. Under Oracle’s policies, this information is deemed too specific and potentially harmful as it could result in empowering malicious attackers. This kind of detailed information will therefore no longer be provided.

In addition, starting with the April CPU, patch availability information for the security advisories for former BEA products will be made available exclusively through Metalink. This is also consistent with the practices for most other Oracle products.

The adoption of Oracle Software Security Assurance also results in changes in how we communicate with security researchers. Prior to the acquisition, BEA used secalert@bea.com for any email communication with security researchers. This address will now be replaced by secalert_us@oracle.com which is the address used for all other Oracle products. Note that BEA did not use encrypted emails for communicating with security researchers, however Oracle encourages the use of encryption for such communication (Oracle’s encryption key can be found at http://www.oracle.com/technology/deploy/security/encryptionkey.html).

Finally, like the now obsolete BEA security site, the Oracle Critical Patch Updates and Security Alerts site supports RSS feeds. Anyone can subscribe to these feeds and be notified on changes made to the page (including when the Pre-Release Announcements are published). Note that BEA customers, who were previously subscribed to the BEA RSS feeds, will need to re-subscribe to the Oracle RSS feed on http://www.oracle.com/technology/deploy/security/alerts.htm.

I feel that the adoption of the various Oracle Software Security Assurance programs have contributed to make the security advisory program for BEA products more predictable and useful to customers. In my opinion, Oracle and BEA teams put in a tremendous effort to align the processes to provide a consistent and positive experience to ALL Oracle customers.