« Security Evaluation of Newly Acquired Product Lines by Oracle | Main | Inclusion of BEA into Oracle Software Security Assurance Programs (Part II) »

April 2009 Critical Patch Update Released

By eric.maurice on April 14, 2009 11:34 AM

Hello, this is Eric Maurice again!

Today Oracle released the April 2009 Critical Patch Update (CPUApr2009).

This Critical Patch Update (CPU) includes fixes for 43 new security vulnerabilities across the following product families: Oracle Database Server, Oracle Application Server, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, and Oracle WebLogic.

16 of the 43 vulnerabilities affect Oracle Database Server, and two of these 16 vulnerabilities are remotely exploitable without authentication. In addition, two of these sixteen vulnerabilities yield a CVSS Base Score exceeding 7.0 (NVD characterizes the severity of vulnerabilities with score between 7.0 and 10.0 as “High”).

The most severe Database Server vulnerability rates a CVSS Base Score of 9.0. It can potentially allow an attacker to gain full control of a vulnerable server. None of the Oracle Database Server 10g and 11g releases are affected by this vulnerability, however, this vulnerability does affect Oracle Database Server 9.2.0.8 and 9.2.0.8DV. Because of the severity of this vulnerability, organizations running vulnerable versions (Database Server 9.2.0.8 and 9.2.0.8DV) should plan to apply the Critical Patch Update as soon as possible. Furthermore, until these systems are patched, organizations should ensure that additional mitigation measures be implemented. Such measures may include additional monitoring of these systems and ensuring that appropriate network access control measures are implemented around them.

The second most severe Database Server vulnerability yields a CVSS score of 7.1. This is a severe CVSS Base Score however an attacker would need IMP_FULL_DATABASE privilege to exploit this vulnerability. IMP_FULL_DATABASE allows importing of databases and thus is a very high privilege, typically limited to trusted DBAs. Again, organizations are advised to apply the Critical Patch Update as soon as possible. In addition, until these systems are patched, organizations should ensure that the IMP_FULL_DATABASE privilege is limited to trusted administrators, and use of this privilege should be fully audited.

The Critical Patch Update also addresses eight new vulnerabilities with the Oracle WebLogic and AquaLogic product families. Two of these eight vulnerabilities have a CVSS Base Score of 10.0.

The first of these vulnerabilities affect JRockit, and encompasses a number of issues affecting the Sun Java Runtime Environment that were previously disclosed by Sun Microsystems. The Critical Patch Update includes all the applicable fixes that were previously released by Sun to solve these issues in JRockit.

The second of these vulnerabilities affects the WebLogic Server Plugins for Apache and IIS web servers. The CVSS Base Score is reported as 10.0 by Oracle, even though organizational security policies typically call for not running Web servers as root. In deployments when the Web server doesn’t run as root, the CVSS score for this vulnerability is 7.5 because a successful exploit of this vulnerability will not lead to a complete take over of the machine at the OS layer. Note that Oracle has addressed a series of issues in the WebLogic Server Plug-ins since the BEA acquisition, and the fixes for this plugin are cumulative. This means that this CPU patch includes all previously released fixes as well. Organizations are encouraged to apply this CPU as soon as possible in order to take advantage of these fixes.

The Critical Patch Update is in its fifth year of existence (the program was introduced in January 2005 and the current CPU is the 18th). Over the years, the program has proven to be flexible enough to accommodate additional product families (with the inclusion of PeopleSoft, Siebel, and BEA, among others), and continues to provide customers with a consistent process and predictable schedule to deal with security patches across their entire Oracle environment.

For More Information:

Critical Patch Updates & Security Alerts web site is located at: http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle Software Security Assurance web site is located at: http://www.oracle.com/security/software-security-assurance.html

For more information about Oracle’s use of the CVSS standard, see: http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm

AddThis Social Bookmark Button

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search All Blogs

Google Search


Only search this blog

About This Entry

This page contains a single entry from the blog posted on April 14, 2009 11:34 AM.

The previous post in this blog was Security Evaluation of Newly Acquired Product Lines by Oracle.

The next post in this blog is Inclusion of BEA into Oracle Software Security Assurance Programs (Part II).

Many more can be found on the main index page or by looking through the archives.

Top Tags

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle