April 2007 Critical Patch Update Released
By john.heimann on Apr 17, 2007
Hello, this is Eric Maurice, Manager for Security in Oracle�s Global Technology Business Unit.
Today, Oracle released its April 2007 Critical Patch Update (CPUApr2007). This Critical Patch Update (CPU) addresses a total of 36 vulnerabilities affecting Oracle Database Server and Client, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Applications.
This release of the Critical Patch Update also marks a small milestone for Oracle Software Security Assurance: it is Oracle�s tenth Critical Patch Update. On this tenth anniversary, I thought I would discuss some of the changes and enhancements that were brought with the Critical Patch Update.
Started at the beginning of 2005 (the first Critical Patch Update was released on January 15, 2005), the Critical Patch Update effectively replaced the Security Alert system by providing a predictable schedule for the release of security patches. Oracle�s Critical Patch Updates are released quarterly on the Tuesday closest to the 15th of the months of January, April, July, and October. However, Oracle may still deviate from the normal CPU schedule to respond to dangerous threats to our customers. If necessary, Oracle will issue a Security Alert and customers will receive a timely notification of the Security Alert by email through support sites, e.g. MetaLink and Customer Connection, and Oracle Technology Network.
The predictability provided by the Critical Patch Update mechanism is very important to Oracle customers. It results in enabling customers to plan for the Critical Patch Updates and install them in their normal maintenance windows, to avoid undue interruptions in their business-critical systems.
Also, since the Critical Patch Update is cumulative for most Oracle products (the notable exception is E-Business Suite prior to Release 12), customers can usually move to the current patch level quickly by applying the most recent Critical Patch Update for their product. With this Critical Patch Update, E-Business Suite customers will be happy to find out that Critical Patch Updates for E-Business Suite R12 are cumulative.
Over time the Critical Patch Update Documentation was also enhanced to make sure that customers derive more value from it. For example, Oracle was one of the first vendors to support the Common Vulnerability Scoring System in the security advisories of its products. The risk matrices in each CPU advisory provide the CVSS�s base score for the vulnerabilities fixed in the Critical Patch Update, and the vulnerabilities are ranked in the documentation in order of their CVSS severity. This was an important enhancement, which contributed to significantly enhancing customers� ability to assess the severity of the vulnerabilities addressed in the Critical Patch Updates. We also provide more information than required by the CVSS standard. Darius Wiles, in a previous blog entry, discussed Oracle's implementation of CVSS, including the use of Oracle�s �Partial+� rating. With the January 2007 Critical Patch Update, we also introduced the Critical Patch Update Pre-Release Announcement, to provide customers with an advanced preview of the upcoming Critical Patch Update.
Even as we reach our tenth Critical Patch Update milestone, the effort required to produce and test the patches for all products and platforms combinations in time for our quarterly release dates remains significant. In an effort to provide enhanced support to our customers, we are introducing a change that will affect the content of all future Critical Patch Updates for Oracle Server and Middleware Products, i.e., �On Request� CPU releases for historically inactive combinations.
We have noticed that there are certain platform and version combinations that historically have been inactive, i.e., customers seldom download Critical Patch Updates for these environments. Starting with the July 2007 Critical Patch Update, instead of systematically creating a Critical Patch Updates for those inactive combinations, we will only produce those patches if clients specifically request them. However we will continue to include those fixes in the main code line, including future releases and patch sets on all supported versions.
This change should not affect most customers, as we are only targeting inactive combinations. Oracle currently lists the versions and platforms that will receive patches in the next Critical Patch Update in Section 3.8 (�Planned Patches for Next CPU release�) of the Critical Patch Update Availability Information for Oracle Server and Middleware Products. The �On Request� combinations will be identified in this list and customers requiring patches listed as �On Request� can request them from Oracle. The documentation will also detail the process for making these requests. As an example, MetaLink Note 420061.1, published with the April 2007 Critical Patch Update, will list the versions and platforms that will be supported in the July 17, 2007 Critical Patch Update.
There are too many attributes to the Critical Patch Update to discuss in this blog entry. Just as we continue to implement ways to improve our coding practices to minimize the impact of security flaws in our software, we continue to search for ways to enhance the Critical Patch Update process to reduce the impact of Oracle�s issuance of security fixes with customers.
As usual, we highly recommend that customers apply all patches promptly. The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts and PeopleSoft customers can download security updates on the Customer Connection portal. The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources. For example, for those of you who may be inexperienced with the Critical Patch Update, we recently recorded a technical webcast to discuss the use of One-Off Patch Installer (a.k.a. �OPatch�) with the Critical Patch Updates.